October CMS Twig Sandbox Bypass Vulnerability

A sandbox bypass vulnerability has been identified in October CMS versions prior to 3.7.13 and versions 4.0.0 through 4.1.4. The issue resides in the optional Twig safe mode feature, 'CMS_SAFE_MODE', where certain methods on the 'collect()' helper were not adequately restricted. This flaw allows authenticated users with template editing permissions to bypass sandbox protections. The vulnerability only affects installations with 'CMS_SAFE_MODE' enabled, which is disabled by default, and requires authenticated backend access with CMS template editing permissions.

Impact

Exploitation of this vulnerability bypasses Twig's sandbox restrictions, potentially allowing for unauthorized template modifications or execution of malicious code within the Twig environment.

Remediation

Users can upgrade to October CMS versions 3.7.13 or 4.1.5, where this vulnerability has been patched. If an immediate upgrade is not possible, 'CMS_SAFE_MODE' can be disabled if untrusted template editing is not needed, and CMS template editing permissions can be restricted to fully trusted administrators only.