CVE-2023-44382

Name of the Vulnerable Software and Affected Versions October versions prior to 3.4.15

Description The issue allows an authenticated backend user with the editor.cms pages, editor.cms layouts, or editor.cms partials permissions to write specific Twig code and execute arbitrary PHP, despite cms.safe mode being enabled. This is problematic for those relying on cms.safe mode to restrict users from writing and executing arbitrary PHP.

Recommendations For versions prior to 3.4.15, update to version 3.4.15 to resolve the issue. As a temporary workaround, consider removing the editor.cms pages, editor.cms layouts, or editor.cms partials permissions from untrusted users.