CVE-2021-21264Missing Authorization in CMS

CWE-862Missing Authorization3 documents3 sources
Severity
5.2MEDIUMNVD
EPSS
0.0%
top 90.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
October CMSOctobercms October
Timeline
PublishedMay 3
Latest updateMay 4

Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 (fixed in 1.0.470/471 and 1.1.1) was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247. An authenticated backend user with the `cms.manage_pages`, `cms.manage_layouts`, or `cms.manage_partials` permissions who would **normally** not be permitted to provide PHP code to be executed by the CMS due to `cms.enableSafeMode` being enabled is able to write specific

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:LExploitability: 1.1 | Impact: 3.7

Affected Packages2 packages

NVDoctobercms/october1.1.01.1.1+1
Packagistoctober/cms1.0.4711.0.472+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Bypass of fix for CVE-2020-26231, Twig sandbox escape2021-05-04
GHSA
Bypass of fix for CVE-2020-26231, Twig sandbox escape2021-05-04