Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. october/october
  4. ›
  5. CVE-2021-21264

CVE-2021-21264: Missing Authorization

May 3, 2021 (updated October 19, 2022)

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP.

References

  • nvd.nist.gov/vuln/detail/CVE-2021-21264

Code Behaviors & Features

Detect and mitigate CVE-2021-21264 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions up to 1.0.471, all versions starting from 1.1.0 up to 1.1.1

Fixed versions

  • 1.0.472
  • 1.1.2

Solution

Upgrade to versions 1.0.472, 1.1.2 or above.

Impact 5.2 MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Learn more about CVSS

Source file

packagist/october/october/CVE-2021-21264.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:07 +0000.