CVE-2020-15247

Name of the Vulnerable Software and Affected Versions October CMS versions 1.0.319 through 1.0.468

Description The issue allows an authenticated backend user with the cms.manage pages, cms.manage layouts, or cms.manage partials permissions to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP, despite cms.enableSafeMode being enabled. This is a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.

Recommendations For October CMS versions 1.0.319 through 1.0.468, update to Build 469 (v1.0.469) or v1.1.0 to resolve the issue. As a temporary workaround, consider applying the patch manually by using the comparison provided at https://github.com/octobercms/october/compare/106daa2930de4cebb18732732d47d4056f01dd5b...7cb148c1677373ac30ccfd3069d18098e403e1ca to your installation.