CVE-2020-26231 - Vulnerability Details

Vendors	Products
Octobercms	October

Link	Providers
https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7
https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx

{"containers": {"cna": {"affected": [{"product": "october", "vendor": "octobercms", "versions": [{"status": "affected", "version": "= 1.0.469"}]}], "descriptions": [{"lang": "en", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 470 (v1.0.470) and v1.1.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-23T20:55:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7"}], "source": {"advisory": "GHSA-r89v-cgv7-3jhx", "discovery": "UNKNOWN"}, "title": "Bypass of fix for CVE-2020-15247, Twig sandbox escape", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2020-26231", "STATE": "PUBLIC", "TITLE": "Bypass of fix for CVE-2020-15247, Twig sandbox escape"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "october", "version": {"version_data": [{"version_value": "= 1.0.469"}]}}]}, "vendor_name": "octobercms"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 470 (v1.0.470) and v1.1.1."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862 Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx", "refsource": "CONFIRM", "url": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx"}, {"name": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7", "refsource": "MISC", "url": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7"}]}, "source": {"advisory": "GHSA-r89v-cgv7-3jhx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:03.105Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26231", "datePublished": "2020-11-23T20:55:14", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:03.105Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:1.0.469:*:*:*:*:*:*:*", "matchCriteriaId": "40EC0658-E1FF-4267-951C-5AB8185E70CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:octobercms:october:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C7A37D3A-A944-4F0A-A023-04FEAD7BE347", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 470 (v1.0.470) and v1.1.1."}, {"lang": "es", "value": "October es una plataforma CMS gratuita, de c\u00f3digo abierto y autohosteada basada en Laravel PHP Framework. Se detect\u00f3 un bypass de CVE-2020-15247 (corregido en versiones 1.0.469 y 1.1.0), que tiene el mismo impacto que CVE-2020-15247. Un usuario del backend autenticado con los permisos cms.manage_pages, cms.manage_layouts o cms.manage_partials que normalmente no podr\u00eda proporcionar c\u00f3digo PHP para ser ejecutado por el CMS debido a que cms.enableSafeMode est\u00e1 habilitado, puede escribir c\u00f3digo Twig espec\u00edfico para escapar del sandbox de Twig y ejecutar PHP arbitrario. Esto no es un problema para cualquiera que conf\u00ede en sus usuarios con esos permisos para escribir y administrar PHP normalmente dentro del CMS al no tener cms.enableSafeMode habilitado, pero ser\u00eda un problema para cualquiera que conf\u00ede en cms.enableSafeMode para asegurarse de que los usuarios con esos permisos en producci\u00f3n no tienen acceso para escribir y ejecutar PHP arbitrario. El problema se corrigi\u00f3 en Build 470 (versi\u00f3n v1.0.470) y versi\u00f3n v1.1.1"}], "id": "CVE-2020-26231", "lastModified": "2024-11-21T05:19:36.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 3.7, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2020-11-23T21:15:12.347", "references": [{"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Secondary"}]}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object