CVE-2021-32649
📋 TL;DR
October CMS versions before 1.0.473 and 1.1.6 contain a vulnerability where authenticated backend users with 'create, modify and delete website pages' privileges can execute arbitrary PHP code by injecting specially crafted Twig code into template markup. This allows privilege escalation from limited backend access to full server compromise. All October CMS installations using vulnerable versions are affected.
💻 Affected Systems
- October CMS
📦 What is this software?
October by Octobercms
October by Octobercms
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, ransomware deployment, lateral movement to other systems, and complete loss of system integrity.
Likely Case
Attacker with legitimate backend access escalates privileges to execute arbitrary code, potentially gaining shell access, installing backdoors, or exfiltrating sensitive data.
If Mitigated
With proper access controls limiting backend privileges and network segmentation, impact is contained to the affected CMS instance only.
🎯 Exploit Status
Exploitation requires authenticated backend access but is straightforward once access is obtained. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.473 or 1.1.6
Vendor Advisory: https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj
Restart Required: No
Instructions:
1. Backup your October CMS installation and database. 2. Update to version 1.0.473 or 1.1.6 via the October CMS backend updater or manually via composer. 3. Verify the update completed successfully. 4. Clear any cached templates or compiled files.
🔧 Temporary Workarounds
Manual patch application
allApply the security patch manually if unable to upgrade to patched versions
Apply changes from commit 167b592eed291ae1563c8fcc5b9b34a03a300f26 to your installation
🧯 If You Can't Patch
- Immediately restrict backend access to only essential personnel and implement principle of least privilege
- Implement web application firewall rules to block Twig code execution patterns and monitor for suspicious template modifications
🔍 How to Verify
Check if Vulnerable:
Check your October CMS version in the backend dashboard or via composer show october/systemCheck Version:
composer show october/system | grep versionVerify Fix Applied:
Verify version is 1.0.473 or higher (for v1.0.x) or 1.1.6 or higher (for v1.1.x)📡 Detection & Monitoring
Log Indicators:
- Unusual template modifications in backend logs
- Multiple failed login attempts followed by successful backend access
- PHP execution errors in web server logs
Network Indicators:
- Unusual outbound connections from web server
- Large data transfers from CMS server
SIEM Query:
source="web_server_logs" AND ("template" OR "twig") AND ("eval" OR "exec" OR "system")🔗 References
- https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26
- https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj
- https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26
- https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj
