{"id":"CVE-2021-21264","details":"October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 (fixed in 1.0.470/471 and 1.1.1) was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247. An authenticated backend user with the `cms.manage_pages`, `cms.manage_layouts`, or `cms.manage_partials` permissions who would **normally** not be permitted to provide PHP code to be executed by the CMS due to `cms.enableSafeMode` being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having `cms.enableSafeMode` enabled, but would be a problem for anyone relying on `cms.enableSafeMode` to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 472 (v1.0.472) and v1.1.2. As a workaround, apply https://github.com/octobercms/october/commit/f63519ff1e8d375df30deba63156a2fc97aa9ee7 to your installation manually if unable to upgrade to Build 472 or v1.1.2.","aliases":["GHSA-fcr8-6q7r-m4wg"],"modified":"2026-04-10T04:29:34.512235Z","published":"2021-05-03T16:15:07.510Z","related":["GHSA-fcr8-6q7r-m4wg"],"references":[{"type":"FIX","url":"https://github.com/octobercms/october/security/advisories/GHSA-fcr8-6q7r-m4wg"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/octobercms/october","events":[{"introduced":"0"},{"last_affected":"61e49d9e0b5f7e5323353f254d4ff12905bbe573"},{"introduced":"6389554935644bfbb15db5fcd0ce4db6cbe3d103"},{"last_affected":"24d95a208bf4a0840d7b631a87ad1ce3fb4a5ed3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.471"},{"introduced":"1.1.0"},{"last_affected":"1.1.1"}]}}],"versions":["v1.0.319","v1.0.320","v1.0.321","v1.0.322","v1.0.323","v1.0.324","v1.0.325","v1.0.326","v1.0.327","v1.0.328","v1.0.329","v1.0.330","v1.0.331","v1.0.333","v1.0.334","v1.0.338","v1.0.340","v1.0.341","v1.0.342","v1.0.343","v1.0.344","v1.0.345","v1.0.346","v1.0.351","v1.0.352","v1.0.353","v1.0.354","v1.0.355","v1.0.356","v1.0.358","v1.0.359","v1.0.360","v1.0.361","v1.0.362","v1.0.363","v1.0.364","v1.0.365","v1.0.366","v1.0.367","v1.0.370","v1.0.371","v1.0.372","v1.0.373","v1.0.374","v1.0.375","v1.0.376","v1.0.377","v1.0.378","v1.0.379","v1.0.380","v1.0.381","v1.0.382","v1.0.383","v1.0.384","v1.0.385","v1.0.386","v1.0.387","v1.0.388","v1.0.389","v1.0.390","v1.0.391","v1.0.392","v1.0.393","v1.0.394","v1.0.395","v1.0.396","v1.0.397","v1.0.398","v1.0.399","v1.0.400","v1.0.401","v1.0.402","v1.0.403","v1.0.404","v1.0.405","v1.0.406","v1.0.407","v1.0.408","v1.0.409","v1.0.410","v1.0.411","v1.0.412","v1.0.413","v1.0.414","v1.0.415","v1.0.416","v1.0.417","v1.0.418","v1.0.419","v1.0.420","v1.0.421","v1.0.422","v1.0.423","v1.0.424","v1.0.425","v1.0.426","v1.0.427","v1.0.428","v1.0.429","v1.0.430","v1.0.431","v1.0.432","v1.0.433","v1.0.434","v1.0.436","v1.0.437","v1.0.438","v1.0.439","v1.0.440","v1.0.441","v1.0.442","v1.0.443","v1.0.444","v1.0.445","v1.0.446","v1.0.447","v1.0.448","v1.0.449","v1.0.450","v1.0.451","v1.0.452","v1.0.453","v1.0.454","v1.0.455","v1.0.456","v1.0.457","v1.0.458","v1.0.459","v1.0.460","v1.0.461","v1.0.462","v1.0.463","v1.0.464","v1.0.466","v1.0.467","v1.0.468","v1.0.469","v1.0.470","v1.0.471","v1.1.0","v1.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21264.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"}]}