8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32649

GHSA ID

GHSA-wv23-pfj7-2mjj

EPSS Score

0.62611%

CWE

CWE-74

Published

1/14/2022

Updated

1/30/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32649

CVE-2021-32649: October/System authenticated file write leads to remote code execution

Impact

Assuming an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup.

Patches

Issue has been patched in Build 473 and v1.1.6

Workarounds

Apply https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26 to your installation manually if you are unable to upgrade.

References

Credits to: • David Miller

For more information

If you have any questions or comments about this advisory:

Email us at hello@octobercms.com

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32649

GHSA ID

GHSA-wv23-pfj7-2mjj

EPSS Score

0.62611%

CWE

CWE-74

Published

1/14/2022

Updated

1/30/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
october/system	composer	>= 1.1.0, < 1.1.6	1.1.6
october/system	composer	< 1.0.473	1.0.473

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: (1) The import handlers (index_onLoadImportForm and index_onImport) in Themes.php allowed template imports without safe mode validation, enabling attackers to inject malicious Twig code. (2) The Twig SecurityPolicy's blockedMethods list (in SecurityPolicy.php) initially excluded the 'write' method, allowing attackers to call it via Twig templates. While the SecurityPolicy's configuration (blockedMethods array) is critical, it is a class property rather than a function. The primary exploitable entry points are the import functions, which directly enabled template injection. The 'write' method (in Halcyon models) was dangerous when called via Twig, but its vulnerability depends on the SecurityPolicy's missing block, not the method itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ssumin* *n *tt**k*r wit* "*r**t*, mo*i*y *n* **l*t* w**sit* p***s" privil***s in t** ***k*n* is **l* to *x**ut* P*P *o** *y runnin* sp**i*lly *r**t** Twi* *o** in t** t*mpl*t* m*rkup. ### P*t***s Issu* **s ***n p*t**** in *uil* *** *n*

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: (*) T** import **n*l*rs (in**x_onLo**Import*orm *n* in**x_onImport) in T**m*s.p*p *llow** t*mpl*t* imports wit*out s*** mo** v*li**tion, *n**lin* *tt**k*rs to inj**t m*li*ious Twi* *o**. (*) T** Twi* S**ur

8.8

Basic Information

Concerned about an active attack path?

CVE-2021-32649: October/System authenticated file write leads to remote code execution

Impact

Patches

Workarounds

References

For more information

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI