October is vulnerable to arbitrary code execution. An authenticated backend user with cms.manage_pages
, cms.manage_layouts
, or cms.manage_partials
permissions is allowed to write malicious Twig code leading to an escape from sandbox even if cms.enableSafeMode
is set. This vulnerability is a bypass of the fix applied for CVE-2020-15247.
CPE | Name | Operator | Version |
---|---|---|---|
october/october | eq | 1.1.0 | |
october/october | le | 1.0.469 | |
october/cms | eq | 1.1.0 | |
october/cms | le | 1.0.469 |