Impact
An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass cms.safe_mode / cms.enableSafeMode in order to execute arbitrary code.
- This issue only affects admin panels that rely on safe mode and restricted permissions.
- To exploit this vulnerability, an attacker must first have access to the backend area.
Patches
The issue has been patched in Build 474 (v1.0.474) and v1.1.10.
Workarounds
Apply octobercms/library@c393c5c to your installation manually if unable to upgrade to Build 474 or v1.1.10.
References
Credits to:
For more information
If you have any questions or comments about this advisory:
Impact
An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass
cms.safe_mode/cms.enableSafeModein order to execute arbitrary code.Patches
The issue has been patched in Build 474 (v1.0.474) and v1.1.10.
Workarounds
Apply octobercms/library@c393c5c to your installation manually if unable to upgrade to Build 474 or v1.1.10.
References
Credits to:
For more information
If you have any questions or comments about this advisory: