Low severityNVD Advisory· Published Nov 23, 2020· Updated Aug 4, 2024

Privilege escalation by backend users assigned to the default "Publisher" system role

CVE-2020-15248

Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. Issue has been patched in Build 470 (v1.0.470) & v1.1.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
october/backendPackagist	>= 1.0.319, < 1.0.470	1.0.470

Affected products

Octobercms/Octoberv5
Range: >= 1.0.319, < 1.0.470

Patches

78a37298a4ed

Tightened up the default permissions granted to the "Publisher" system role out of the box

https://github.com/octobercms/octoberLuke TowersSep 11, 2020via ghsa

commit

2 files changed · +17 −9

modules/backend/ServiceProvider.php+8 −5 modified

@@ -140,31 +140,34 @@ protected function registerBackendPermissions()
             $manager->registerPermissions('October.Backend', [
                 'backend.access_dashboard' => [
                     'label' => 'system::lang.permissions.view_the_dashboard',
-                    'tab'   => 'system::lang.permissions.name'
+                    'tab'   => 'system::lang.permissions.name',
                 ],
                 'backend.manage_default_dashboard' => [
                     'label' => 'system::lang.permissions.manage_default_dashboard',
                     'tab'   => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
                 ],
                 'backend.manage_users' => [
                     'label' => 'system::lang.permissions.manage_other_administrators',
-                    'tab'   => 'system::lang.permissions.name'
+                    'tab'   => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
                 ],
                 'backend.impersonate_users' => [
                     'label' => 'system::lang.permissions.impersonate_users',
                     'tab'   => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
                 ],
                 'backend.manage_preferences' => [
                     'label' => 'system::lang.permissions.manage_preferences',
-                    'tab'   => 'system::lang.permissions.name'
+                    'tab'   => 'system::lang.permissions.name',
                 ],
                 'backend.manage_editor' => [
                     'label' => 'system::lang.permissions.manage_editor',
-                    'tab'   => 'system::lang.permissions.name'
+                    'tab'   => 'system::lang.permissions.name',
                 ],
                 'backend.manage_branding' => [
                     'label' => 'system::lang.permissions.manage_branding',
-                    'tab'   => 'system::lang.permissions.name'
+                    'tab'   => 'system::lang.permissions.name',
                 ],
                 'media.manage_media' => [
                     'label' => 'backend::lang.permissions.manage_media',

modules/system/ServiceProvider.php+9 −4 modified

@@ -9,6 +9,7 @@
 use Request;
 use BackendMenu;
 use BackendAuth;
+use Backend\Models\UserRole;
 use Twig\Extension\SandboxExtension;
 use Twig\Environment as TwigEnvironment;
 use System\Classes\MailManager;
@@ -417,19 +418,23 @@ protected function registerBackendPermissions()
             $manager->registerPermissions('October.System', [
                 'system.manage_updates' => [
                     'label' => 'system::lang.permissions.manage_software_updates',
-                    'tab' => 'system::lang.permissions.name'
+                    'tab' => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
                 ],
                 'system.access_logs' => [
                     'label' => 'system::lang.permissions.access_logs',
-                    'tab' => 'system::lang.permissions.name'
+                    'tab' => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
                 ],
                 'system.manage_mail_settings' => [
                     'label' => 'system::lang.permissions.manage_mail_settings',
-                    'tab' => 'system::lang.permissions.name'
+                    'tab' => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
                 ],
                 'system.manage_mail_templates' => [
                     'label' => 'system::lang.permissions.manage_mail_templates',
-                    'tab' => 'system::lang.permissions.name'
+                    'tab' => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
                 ]
             ]);
         });

4c650bb775ab

Security fixes for v1.0.469

https://github.com/octobercms/octoberSamuel GeorgesSep 4, 2020via ghsa

commit

3 files changed · +67 −0

modules/cms/classes/Controller.php+3 −0 modified

@@ -15,6 +15,7 @@
 use BackendAuth;
 use Twig\Environment as TwigEnvironment;
 use Twig\Cache\FilesystemCache as TwigCacheFilesystem;
+use Twig\Extension\SandboxExtension;
 use Cms\Twig\Loader as TwigLoader;
 use Cms\Twig\DebugExtension;
 use Cms\Twig\Extension as CmsTwigExtension;
@@ -23,6 +24,7 @@
 use System\Helpers\View as ViewHelper;
 use System\Classes\CombineAssets;
 use System\Twig\Extension as SystemTwigExtension;
+use System\Twig\SecurityPolicy;
 use October\Rain\Exception\AjaxException;
 use October\Rain\Exception\ValidationException;
 use October\Rain\Parse\Bracket as TextParser;
@@ -608,6 +610,7 @@ protected function initTwigEnvironment()
         $this->twig = new TwigEnvironment($this->loader, $options);
         $this->twig->addExtension(new CmsTwigExtension($this));
         $this->twig->addExtension(new SystemTwigExtension);
+        $this->twig->addExtension(new SandboxExtension(new SecurityPolicy, true));
 
         if ($isDebugMode) {
             $this->twig->addExtension(new DebugExtension($this));

modules/system/ServiceProvider.php+3 −0 modified

@@ -19,6 +19,7 @@
 use System\Twig\Engine as TwigEngine;
 use System\Twig\Loader as TwigLoader;
 use System\Twig\Extension as TwigExtension;
+use System\Twig\SecurityPolicy as TwigSecurityPolicy;
 use System\Models\EventLog;
 use System\Models\MailSetting;
 use System\Classes\CombineAssets;
@@ -27,6 +28,7 @@
 use October\Rain\Router\Helper as RouterHelper;
 use Illuminate\Pagination\Paginator;
 use Illuminate\Support\Facades\Schema;
+use Twig\Extension\SandboxExtension;
 
 class ServiceProvider extends ModuleServiceProvider
 {
@@ -297,6 +299,7 @@ protected function registerTwigParser()
         App::singleton('twig.environment', function ($app) {
             $twig = new TwigEnvironment(new TwigLoader, ['auto_reload' => true]);
             $twig->addExtension(new TwigExtension);
+            $twig->addExtension(new SandboxExtension(new TwigSecurityPolicy, true));
             return $twig;
         });

modules/system/twig/SecurityPolicy.php+61 −0 added

@@ -0,0 +1,61 @@
+<?php namespace System\Twig;
+
+use Twig\Markup;
+use Twig\Template;
+use Twig\Sandbox\SecurityPolicyInterface;
+use Twig\Sandbox\SecurityNotAllowedMethodError;
+use Twig\Sandbox\SecurityNotAllowedPropertyError;
+
+/**
+ * SecurityPolicy globally blocks accessibility of certain methods and properties.
+ *
+ * @package october\system
+ * @author Alexey Bobkov, Samuel Georges
+ */
+final class SecurityPolicy implements SecurityPolicyInterface
+{
+    protected $blockedProperties = [];
+
+    protected $blockedMethods = [
+        'addDynamicMethod',
+        'addDynamicProperty'
+    ];
+
+    public function __construct()
+    {
+        $this->setBlockedMethods($this->blockedMethods);
+    }
+
+    public function setBlockedMethods(array $methods)
+    {
+        foreach ($this->blockedMethods as $i => $m) {
+            $this->blockedMethods[$i] = strtr($m, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz');
+        }
+    }
+
+    public function checkSecurity($tags, $filters, $functions)
+    {
+    }
+
+    public function checkMethodAllowed($obj, $method)
+    {
+        if ($obj instanceof Template || $obj instanceof Markup) {
+            return;
+        }
+
+        $blockedMethod = strtr($method, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz');
+
+        if (in_array($blockedMethod, $this->blockedMethods)) {
+            $class = get_class($obj);
+            throw new SecurityNotAllowedMethodError(sprintf('Calling "%s" method on a "%s" object is blocked.', $method, $class), $class, $method);
+        }
+    }
+
+    public function checkPropertyAllowed($obj, $property)
+    {
+        if (in_array($property, $this->blockedProperties)) {
+            $class = get_class($obj);
+            throw new SecurityNotAllowedPropertyError(sprintf('Calling "%s" property on a "%s" object is blocked.', $property, $class), $class, $property);
+        }
+    }
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rfjc-xrmf-5vvwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-15248ghsaADVISORY
github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982ghsaWEB
github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829ghsax_refsource_MISCWEB
github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvwghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000