An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass cms.safe_mode
/ cms.enableSafeMode
in order to execute arbitrary code.
The issue has been patched in Build 474 (v1.0.474) and v1.1.10.
Apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually if unable to upgrade to Build 474 or v1.1.10.
Credits to:
If you have any questions or comments about this advisory: