4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-44381

GHSA ID

GHSA-q22j-5r3g-9hmh

EPSS Score

0.39294%

CWE

CWE-94

Published

11/29/2023

Updated

12/4/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-44381

CVE-2023-44381: October CMS safe mode bypass using Page template injection

Impact

An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can craft a special request to include PHP code in the CMS template.

This is not a problem for anyone who trusts their users with those permissions to usually write & manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.

Patches

This issue has been patched in v3.4.15.

Workarounds

As a workaround, remove the specified permissions from untrusted users.

References

Credits to:

Vasiliy Bodrov

For more information

If you have any questions or comments about this advisory:

Email us at hello@octobercms.com

(GitHub Advisory)

4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-44381

GHSA ID

GHSA-q22j-5r3g-9hmh

EPSS Score

0.39294%

CWE

CWE-94

Published

11/29/2023

Updated

12/4/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
october/system	composer	>= 3.0.0, < 3.4.15	3.4.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper enforcement of cms.safe_mode restrictions when processing CMS templates. Functions handling template rendering (e.g., renderPage) and backend save operations (e.g., onSave) are critical points where user input could bypass safe mode checks. These functions likely lacked proper validation to strip or block PHP code in templates when safe mode was enabled, allowing crafted payloads to execute. The high confidence stems from the CWE-94 context (code injection) and the workflow described in the advisory, where backend users with template editing permissions exploit these functions to inject PHP.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *ut**nti**t** ***k*n* us*r wit* t** `**itor.*ms_p***s`, `**itor.*ms_l*youts`, or `**itor.*ms_p*rti*ls` p*rmissions w*o woul* norm*lly not ** p*rmitt** to provi** P*P *o** to ** *x**ut** *y t** *MS *u* to `*ms.s***_mo**` **in* *n**l** *

Reasoning

T** vuln*r**ility st*ms *rom improp*r *n*or**m*nt o* `*ms.s***_mo**` r*stri*tions w**n pro**ssin* *MS t*mpl*t*s. *un*tions **n*lin* t*mpl*t* r*n**rin* (*.*., r*n**rP***) *n* ***k*n* s*v* op*r*tions (*.*., onS*v*) *r* *riti**l points w**r* us*r input

4.9

Basic Information

Concerned about an active attack path?

CVE-2023-44381: October CMS safe mode bypass using Page template injection

Impact

Patches

Workarounds

References

For more information

4.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI