CVE-2020-26231: Missing Authorization

November 23, 2020 (updated December 8, 2020)

An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.

References

nvd.nist.gov/vuln/detail/CVE-2020-26231

Detect and mitigate CVE-2020-26231 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →