CVE-2020-26231

{"id": "CVE-2020-26231", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 1.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2020-11-23T21:15:12.347", "references": [{"url": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 470 (v1.0.470) and v1.1.1."}, {"lang": "es", "value": "October es una plataforma CMS gratuita, de c\u00f3digo abierto y autohosteada basada en Laravel PHP Framework. Se detect\u00f3 un bypass de CVE-2020-15247 (corregido en versiones 1.0.469 y 1.1.0), que tiene el mismo impacto que CVE-2020-15247. Un usuario del backend autenticado con los permisos cms.manage_pages, cms.manage_layouts o cms.manage_partials que normalmente no podr\u00eda proporcionar c\u00f3digo PHP para ser ejecutado por el CMS debido a que cms.enableSafeMode est\u00e1 habilitado, puede escribir c\u00f3digo Twig espec\u00edfico para escapar del sandbox de Twig y ejecutar PHP arbitrario. Esto no es un problema para cualquiera que conf\u00ede en sus usuarios con esos permisos para escribir y administrar PHP normalmente dentro del CMS al no tener cms.enableSafeMode habilitado, pero ser\u00eda un problema para cualquiera que conf\u00ede en cms.enableSafeMode para asegurarse de que los usuarios con esos permisos en producci\u00f3n no tienen acceso para escribir y ejecutar PHP arbitrario. El problema se corrigi\u00f3 en Build 470 (versi\u00f3n v1.0.470) y versi\u00f3n v1.1.1"}], "lastModified": "2024-11-21T05:19:36.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:1.0.469:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40EC0658-E1FF-4267-951C-5AB8185E70CB"}, {"criteria": "cpe:2.3:a:octobercms:october:1.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7A37D3A-A944-4F0A-A023-04FEAD7BE347"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}