GHSA-h6jm-f4hh-fw27

A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list.

Impact

• Arbitrary database writes including modification or deletion of any table
• Requires authenticated backend access with Developer permissions
• Only relevant when cms.safe_mode is enabled (otherwise direct PHP injection is already possible)

Patches

The vulnerability has been patched in v3.7.14 and v4.1.10. Write operations such as insert, update, delete, and truncate are now blocked on query builder and model objects within the Twig sandbox. All users are encouraged to upgrade to the latest patched version.

Workarounds

If upgrading immediately is not possible:

• Restrict Developer tool access to fully trusted administrators only

Reporter

• Reported by Chris Alupului