CVE-2020-26231

Name of the Vulnerable Software and Affected Versions October CMS versions prior to 1.0.470 October CMS versions prior to 1.1.1

Description A bypass was discovered that allows an authenticated backend user with the cms.manage pages, cms.manage layouts, or cms.manage partials permissions to write specific Twig code and execute arbitrary PHP, despite cms.enableSafeMode being enabled. This issue affects users who rely on cms.enableSafeMode to restrict access to writing and executing arbitrary PHP in production.

Recommendations For October CMS versions prior to 1.0.470, update to Build 470 (v1.0.470) or apply the patch from https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7 manually. For October CMS versions prior to 1.1.1, update to v1.1.1 or apply the patch from https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7 manually.