October CMS Users Beware of New Twig Sandbox Bypass Vulnerability

CVSScvssV3_1: 9.1

October CMS, a popular open source CMS and web development platform, was recently found to have a vulnerability that allows authenticated backend users to bypass security restrictions and execute arbitrary PHP code.

The issue affects October CMS versions prior to 3.4.15 and involves Twig, the templating engine used by October. Normally, the CMS’s “safe mode” prevents users from inputting PHP code directly. However, attackers could abuse a Twig sandbox bypass to run PHP despite these protections.

This works by writing special Twig code that escapes the sandbox and then executes PHP functions. An attacker who has permissions to edit pages, layouts or partials could add a malicious Twig template to achieve remote code execution on the server.

If you use October CMS, updating to the latest 3.4.15 version is recommended to patch this vulnerability. Administrators should also carefully manage user permissions to pages, layouts and partials to limit potential impact. Following basic security practices like keeping your software updated helps prevent exploitation of issues like this Twig sandbox bypass.

While technical in nature, software vulnerabilities can have serious consequences if exploited. By staying vigilant with updates and access controls, October CMS users can help strengthen their websites against these types of threats.