CVE-2023-44382

CVSS 3.1 Score 9.1 of 10 (high)

Details

Published Dec 1, 2023

Updated: Dec 6, 2023

CWE ID 94

Summary

CVE-2023-44382 is a vulnerability affecting October CMS, a popular Content Management System. This issue grants authenticated backend users with specific permissions, such as `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials`, the ability to bypass the system's `cms.safe_mode` setting and execute arbitrary PHP code through Twig templates, despite not having the necessary permissions to do so. This vulnerability poses a significant risk for websites using October CMS and has been addressed in version 3.4.15.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Octobercms October

Affected Vendors

Octobercms

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/s0v5Xo
https://www.cve.org/CVERecord?id=CVE-2023-44382
https://nvd.nist.gov/vuln/detail/CVE-2023-44382

Back to Vulnerability Database