Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.

Forgejo v1.20.5-1 was released 25 November 2023.

This release contains _critical security fixes_ related to permissions enforcement of API endpoints.

This release also contains bug fixes, as detailed in the release notes.

**Recommended Action**

We _strongly recommend_ that all Forgejo installations are upgraded to the latest version as soon as possible.

**API and web endpoint vulnerable to manually crafted identifiers**

Some API endpoints, such as adding a reaction to a comment, rely on an identifier unique to an object (a comment in this example). There are similar cases for web endpoints which are used by the Forgejo web interface.

The permissions required for the user performing the action on the repository are properly enforced. But a check was missing to ensure that the object (a comment in the example) also belongs to the repository the permissions are checked against. Without this check it is possible both to perform destructive actions and to access information in repositories unrelated to the request, including private ones.

API and web endpoints have been analysed, and those that were missing such a verification can be exploited by a malicious actor to:

*   delete releases and tags
*   delete and modify issues or pull requests comments
*   reveal the content of issues or pull requests comments from private repositories
*   perform other non-destructive actions such as creating issues, moving pinned issues, or obtaining deploy public keys

The vulnerable endpoints were fixed and tests written to verify the fix is effective.

**docker login and 2FA**

When using docker login to authenticate against a Forgejo instance using basic authentication, there needs to be an additional verification if 2FA is activated for the user. That verification was missing for the API endpoint used by docker login, thus bypassing 2FA.

**Responsible disclosure to Gitea**

On 25 October 2023 the Forgejo security team identified that multiple API and web endpoints were not protected against manually crafted identifiers, and the Gitea security team was notified. A 30-day embargo was requested, after which a patch to the v1.20 point release could be published. Further research from both Gitea and Forgejo teams in the following days revealed more vulnerabilities. Initial fixes and tests verifying they are effective were exchanged, but after their last email on 31 October 2023 the Gitea security team stopped responding. Given the severity of the vulnerability, the Forgejo security team asked again for feedback on 16 November 2023, but did not get any reply. Having exhausted all options for cooperation, the Forgejo security team completed the security fix on its own. The resulting fix which is published in this release was sent to the Gitea security team encrypted in its final version on 24 November 2023. At the time of publication, there was still no response from the Gitea security team.

**Responsible disclosure to Gogs**

The Gogs developer was notified of the vulnerability on 25 October 2023. There is no encrypted channel and only a terse but unambiguous message was sent. There has been no response.

**Forgejo will give advance warning of security releases**

Similar to what is done when a Go release contains a security fix, Forgejo will now publish advance warning of security releases. They will not reveal the details of the vulnerability but will allow Forgejo admins to plan ahead and better secure their instance. Anyone can watch to the dedicated tracker or subscribe to the RSS feed.

**Gogs and Gitea upgrades to Forgejo**

Gitea admins are reminded that Forgejo is a 100% compatible drop-in replacement for Gitea. It is enough to replace the Gitea binary or the container image with Forgejo and restart. No configuration modification is necessary. They are encouraged to choose that option to get this security fix as soon as possible.

In the absence of a security fix for Gogs, it is also possible to try and upgrade Gogs to Forgejo. Note however that such an upgrade will require manual intervention and configuration changes because the upgrade path has not been tested.

**Contribute to Forgejo**

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!

CVE-2023-49948: Forgejo Security Release 1.20.5-1

By Waqas
In addition to his prison sentence, Amir Hossein Golshan, the culprit, has been ordered to pay $1,218,526 in restitution to his victims.
This is a post from HackRead.com Read the original post: US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation

Golshan’s schemes involved SIM swapping, social media account takeovers, Zelle payment fraud, and impersonating Apple Support personnel.

A 25-year-old man from downtown Los Angeles has been sentenced to 8 years in federal prison for orchestrating a series of online scams that defrauded hundreds of victims of over $740,000.

Amir Hossein Golshan (PDF) was convicted of one count of unauthorized access to a protected computer to obtain information, one count of wire fraud, and one count of accessing a computer to defraud and obtain value.

Golshan’s schemes involved SIM swapping, social media account takeovers, Zelle payment fraud, and impersonating Apple Support personnel. He used these methods to steal money, NFTs, cryptocurrency, and other valuable digital property from his victims.

> It looks like the SIM swapper who impersonated Apple Support to steal $386K worth of crypto and NFTs (BAYC 9012) from @Mr312 last year was just sentenced to 8 years in prison + ordered to pay $1.2M in restitution.
> 
> How do we know it’s his scammer?
> 
> In the DOJ press release they… pic.twitter.com/qBrWBpROVg
> 
> — ZachXBT (@zachxbt) November 30, 2023

In one instance, Golshan targeted a Los Angeles-based model and influencer with over 100,000 Instagram followers. He gained access to her Instagram account and impersonated her to her friends, requesting them to send him money through Zelle, PayPal, and other online payment platforms.

Several of the victim’s friends sent Golshan money, totalling thousands of dollars, believing they were sending money to the victim. In another instance, Golshan impersonated Apple Support personnel to gain unauthorized access to several victims’ Apple iCloud accounts. He then stole NFTs, cryptocurrency, and other valuable digital property from these accounts.

In another case, he stole an NFT valued at approximately $319,000 and approximately $70,000 worth of cryptocurrency from a victim. U.S. District Judge Otis D. Wright II, who sentenced Golshan, stated that his crimes went “beyond just money” and that they showed a “wanton cruelty” that caused the victims to live in a state of “constant fear and worry.”

According to the US Department of Justice’s press release on Monday, November 27, 2023, Golshan has been in federal custody since June 2023 for violating the terms of his pretrial release. In addition to his prison sentence, he is ordered to pay $1,218,526 in restitution to his victims.

1.  **Police Dismantle SIM Swapping Gang in Spain**
2.  **Indian police & Microsoft busts tech support scam centers**
3.  **10 SIM-swapping hackers nabbed for targeting US celebrities**
4.  **Authorities take down scam campaign impersonating the WHO**
5.  **Man hacks Indian tech support scam call center; leaks CCTV footage**

US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation

The transmitter suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access.

Title: R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure  
Advisory ID: ZSL-2023-5802  
Type: Local/Remote  
Impact: Exposure of Sensitive Information, Security Bypass  
Risk: (5/5)  
Release Date: 03.12.2023

**Summary**

R Radio FM Transmitter that includes FM Exciter and FM Amplifier parameter setup.

**Description**

The transmitter suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access.

**Vendor**

R Radio Network - http://www.pktc.ac.th

**Affected Version**

1.07

**Tested On**

CSBtechDevice

**Vendor Status**

\[09.10.2023\] Vulnerability discovered.  
\[10.10.2023\] Vendor contacted.  
\[10.10.2023\] Vendor responds asking more details.  
\[11.10.2023\] Sent details to the vendor.  
\[14.10.2023\] Vendor confirms the issue, working on a patch.  
\[29.10.2023\] Vendor releases version 1.09 to address this issue.  
\[03.12.2023\] Coordinated public security advisory released.

**PoC**

r\_transmitter\_pwd.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.12.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to be an author feature could perform a stored XSS attack against any other users visiting the posts by the author. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability  
Advisory ID: ZSL-2023-5804  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 03.12.2023

**Summary**

OctoberCMS is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.

**Description**

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to be an author feature could perform a stored XSS attack against any other users visiting the posts by the author. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

October CMS - https://www.octobercms.com

**Affected Version**

3.4.0

**Tested On**

macOS Monterey 12.6.3  
Docker 4.12.0 (85629)  
PHP/8.1.6

**Vendor Status**

\[30.10.2023\] Vulnerability discovered.  
\[31.10.2023\] Contact with the vendor.  
\[06.11.2023\] Vendor asked for the details.  
\[07.11.2023\] Sent details to the vendor.  
\[11.11.2023\] Vendor asked for confirmation if the findings were within their scope.  
\[14.11.2023\] Confirmed the issues are within the scope.  
\[20.11.2023\] Vendor asked for further information on how exploits affect a public-facing website.  
\[22.11.2023\] Explained about impact of the findings in detail.  
\[29.11.2023\] Vendor didn't consider the findings as vulnerabilities.  
\[03.12.2023\] Public security advisory released.

**PoC**

octobercms\_xss(author).txt

**Credits**

Vulnerability discovered by Nazli Soysal Kuran - <nazli@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.12.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability

QR codes can be convenient—but they can also be exploited by malicious actors. Here’s how to protect yourself.

And you don’t need anything special to create a QR code. The tools are widely available and straightforward to use, and putting together a QR code of your own isn’t much more difficult than scanning one. If you wanted to create a QR code that points to a website that’s been put together for malicious purposes, it would only take a couple of minutes. The QR code could then be stuck on a wall, attached to an email, or printed on a document, ready to be scanned.

The aims of these websites are the same as they’ve always been: to get you to download something that will compromise the security of your accounts or your devices, or to get you to enter some login credentials that will then be relayed straight to the hackers (most probably using a spoof site set up to look like something genuine and trustworthy). The intended end results are the same as ever, but the method of getting there is different.

Avoiding QR Code Hacks

The security precautions you should already be using are the same ones that will keep you protected against QR code hacking. Just as you would with emails or instant messages, don’t trust QR codes if you’re not sure where they’ve come from—perhaps attached to suspicious-looking emails or on websites that you can’t verify. The QR code on the menu in your local restaurant, in contrast, is highly unlikely to have been generated by hackers.

Of course, there’s always the chance that the accounts of your friends, family, and colleagues have been compromised, so you can never be 100 percent sure that a message with a QR code in it is genuine. Scams will usually try to imply a sense of urgency and alarm: Scan this QR code to verify your identity or prevent the deletion of your account or take advantage of a time-limited offer.

You should get a preview of the link you’re visiting from a QR code.

Apple via David Nield

As always, your digital accounts should be as heavily protected as possible, so that if you do fall victim to a QR code trick, safety nets are in place. Switch on two-factor authentication for every account that offers it, make sure your personal details are up to date (such as backup email addresses and phone numbers that can be used to recover your accounts), and log out of devices you’re no longer using (you should also delete old accounts you no longer have any need for).

Finally, keep your software up to date—something that’s happily now very easy to do. The latest versions of popular mobile web browsers come with built-in tech for spotting fraudulent links: These integrated protections aren’t infallible, but the more up-to-date your browser and mobile OS are, the better your chances of getting a warning on screen if you’re about to visit an unsafe location on the web.

How to Not Get Hacked by a QR Code

Interpol has upgraded its biometric background check tech. It'll help catch criminals, but will it protect sensitive, immutable data belonging to the innocent?

Source: Huang Zheng via Shutterstock

In November, Interpol arrested a fugitive smuggler using a new biometric security system it plans to deploy across its 196 member countries.

The colorlessly named "Biometric Hub" collates Interpol's existing fingerprint and facial-recognition data into one place, allowing border control and frontline officers to query criminal biometric records in real time.

The system is backed with certain privacy guarantees, but questions remain about the extent of its reach, and of any organization's ability to keep a tight hold over such privileged data.

"This is going to be a super high-value target for somebody to get access to," John Gallagher, vice president at Viakoo, worries. "Any time you put together such valuable information, it's obviously going to get hacked and leaked."

**The First Criminal Caught by Biometric Hub**

Just a couple of weeks ago, a group of migrants was crossing the Balkans on their way to Western Europe. In their midst was a fugitive migrant smuggler.

The group encountered a police check in Sarajevo, Bosnia and Herzegovina.

"Wanted on organized crime and human trafficking charges since 2021, the smuggler presented himself as a fellow migrant under a false name, using a fraudulent identification document to avoid detection," Interpol recounted in a press release.

Unfortunately for the fugitive, this police check was among the first to utilize the new Biometric Hub out in the field. "When the smuggler’s photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country. He was arrested and is currently awaiting extradition."

There's little doubt that the Biometric Hub will streamline Interpol's criminal background checks. But does it provide sufficient security and privacy checks for the citizens who aren't trying to perform crimes across borders?

**Concerns Over Biometric Policing**

To assuage fears of a sci-fi dystopia, Interpol explained on Wednesday that its new biometrics system will abide by its "robust" data protection framework.

Of note, the agency added that "biometric data run through the Hub in a search is not added to INTERPOL's criminal databases, is not visible to other users and any data that does not result in a match is deleted following the search."

Dark Reading has reached out for comment to Interpol, and the vendor supporting Biometric Hub — Idemia — but hasn't yet received a response as of this publication.

Besides privacy, Gallagher points out, a system containing the most sensitive identifying information belonging to the most dangerous criminals out there is an inevitable target for cyberattackers. And a breach of such a system wouldn't be unprecedented.

In 2019, for example, a 23-gigabyte leak at a company contracted by UK police and other government agencies led to the exposure of somewhere around one million fingerprint and facial recognition records. Elsewhere, background checks have been accessed from the US Department of Homeland Security, images have been stolen from Customs and Border Patrol, and more.

"I'm not saying that authorities are doing the wrong thing here — I think they are doing the right thing," Gallagher says. Then he predicts all the many ways the system could fail.

"How frequently do things like the cameras themselves malfunction? And what happens if somebody gets to the camera network? Internet of Things (IoT) devices are the easiest in the universe to hack into," he says.

"My argument is that, in a few years, biometrics won't be trusted," he warns. "Because I pass a camera 100 times a day in my enterprise, and that enterprise might not be securing that camera data very well."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Interpol Arrests Smuggler With New Biometric Screening Database

By Waqas
Cyber Av3ngers, a group of hacktivists believed to be originating from Iran, conducted the cyber attack.
This is a post from HackRead.com Read the original post: Cyberattack Defaces Israeli-Made Equipment at US Water Agency, Brewing Firm

The targets included the Equipment used by the Municipal Water Authority of Aliquippa, Pennsylvania and Brewmation, a New York-based company specializing in turnkey brewing and distilling equipment.

U.S. officials have attributed a cyberattack on the Municipal Water Authority of Aliquippa, Pennsylvania, to the hacktivist group Cyber Av3ngers. This is the same group that previously claimed responsibility for targeting the Israeli oil refinery giant BAZAN with a series of DDoS attacks (distributed denial-of-service attacks).

According to Check Point Research and Google’s Mandiant reports, this group is believed to have ties to the Iranian government.

In its cyber attack on the Municipal Water Authority of Aliquippa on Saturday, Nov. 25, 2023, Cyber Av3ngers defaced the equipment used by the authority with a message of their own, stating that they were targeting Israeli-made equipment. Reportedly, the equipment that was targeted and disabled was manufactured by the Israeli company Unitronics.

Hackread.com can exclusively confirm that the group also targeted Brewmation, a New York-based company specializing in turnkey brewing and distilling equipment. The company’s brewery control system experienced a cyber attack over the Thanksgiving weekend.

The cyberattack on the equipment used by Bewmation saw the same deface image that was left by the hackers on the equipment used by the Municipal Water Authority of Aliquippa.

Evidence suggests that the hackers deliberately targeted the facility due to the equipment’s Israeli origin. A photo from the targeted organization shows a message from the hackers that read, _“**Every equipment ‘made in Israel’ is Cyber Av3ngers legal target.”**_

The attack targeted a device used to control water levels at the authority’s tanks automatically. However, it did not disrupt water service to customers. Still, the incident has raised concerns about the vulnerability of critical infrastructure to cyber threats.

Cybersecurity experts had warned that the ongoing conflict between Israel and Hamas may cause a spike in cyberattacks in Western Pennsylvania and other regions. The Western Pennsylvania All Hazards Fusion Center issued an alert warning that anti-Israel threat actors could target any critical infrastructure or key resources in the region.

In response to the attack, area representative Congressman Chris Deluzio has called for a full investigation into this incident while emphasizing the need for all organizations, including small local governments and private actors, to step up their cybersecurity systems. Deluzio noted that implementing sophisticated cyber defences is the need of the day.

Three Pennsylvania lawmakers have urged for an investigation by the U.S. Department of Justice to warn other water and sewage treatment utilities about possible threats and risks involved with vulnerable industrial control systems.

In a letter to Attorney General Merrick Garland, Senators John Fetterman and Bob Casey, along with Representative Chris Deluzio, raised concerns over the vulnerable nature of drinking water and other critical infrastructure.

They emphasized the need to protect these systems from foreign adversaries and terrorist organizations, urging the DoJ to investigate the incident thoroughly and also calling for a broader assessment of the nation’s cybersecurity posture.

Federal agencies are also involved in the investigation. The Cybersecurity and Infrastructure Security Agency (CISA) released a statement revealing that it is aware of the intrusion and is working with partners to understand the situation and provide support. The FBI did not confirm or deny that an investigation was underway. 

The Aliquippa Water Authority chairman, Matthew Mottes, stated that federal officials informed him of more hacking attempts from the same threat actor, targeting four of their utilities and an aquarium.

Cyber Av3ngers claimed to have hacked 10 water treatment stations in Israel on October 30 in a separate development. It is unclear whether any equipment was shut down due to these attacks.

Cyber Av3ngers on Telegram

Nevertheless, the cyberattack highlights the capabilities and skills hacktivists possess to deliver their message to adversaries. Cyber Av3ngers vow to continue targeting Israel and any company or business utilizing equipment manufactured or provided by the State of Israel.

****_RELATED ARTICLES_****

1.  **Israel’s Channel 10 TV Station Hacked by Hamas**
2.  **Hackers deface Airport screens in Iran with anti-govt messages**
3.  **LG Smart TV Screen Bricked After Android Ransomware Infection**
4.  **Iran State-Run TV’s Live Transmission Hacked by Edalate Ali Hackers**
5.  **TV broadcasts in California interrupted to show “end of the world” alert**

Cyberattack Defaces Israeli-Made Equipment at US Water Agency, Brewing Firm

An ESA cybersecurity expert explains how space-based data and services benefit from public investment in space programs.

Source: NASA / Dembinsky Photo Associates via Alamy Stock Photo

Cybersecurity for space missions is not optional and should be taken seriously. The barrier to entry for threat actors has significantly shrunk, exposing organizations to attacks from hardened cybercriminals and script kiddies alike.

While Europe's burgeoning commercial space industry is facing some challenges, the European Space Agency (ESA) is taking specific steps to boost defenses, such as planning to provide access for organizations to its space cybersecurity operations center (C-SOC), which is currently under development, and providing tools to those in the space industry. In a Nov. 2 keynote presentation at this year's Software Defined Space Conference, in Tallinn, Estonia, I explained some of the immediate commercial challenges for Europe's burgeoning space industry and what the ESA is doing to shore up commercial space cybersecurity.

**Main Cyber Threats to Space Infrastructure**

The main threats that target space infrastructure are not new. In many cases they are well-known threats similar to those we see in many other business fields and in critical infrastructure outside of the space domain. The reason why those are now affecting the space domain so much is mainly due to a dramatic evolution in technology for space infrastructures.

Until a few years ago, space infrastructure used technology that did not exist elsewhere, was extremely expensive, and required special knowledge and insight to understand and attack. This created a high entry barrier for threat actors, and only large, state-level actors had the resources for a successful attack.

The situation has changed dramatically over the past decade. Commercialization is driving the fusion of standard IT technology and software solutions with the space business. That lowers the barrier for both space-based businesses and threat actors, bringing a number of everyday threats from the Internet into the space domain.

A spacecraft, even a small one, represents the most significant investment for companies that want to establish a business around space-based data and services. This is especially true for startups and smaller companies, where the survival of the company is directly connected to the operational availability of the spacecraft. As such, most companies take cybersecurity very seriously and have taken measures to protect their assets both in space and on the ground. These measures include the execution of cybersecurity controls in the ground segment and protection of the communications links by, for example, deploying telecommand authentication.

At the same time, space systems are no longer isolated. In many cases they are fully integrated with other networks, such as the Internet, to meet business needs. That means cybercriminals and "script kiddies" have access to the space domain, driven by the quick profits to be made through information theft or the ransoming of assets.

**Common Vulnerabilities for Space Projects**

The most common weaknesses and vulnerabilities targeted are the same as those we see elsewhere, such as in a financial system. Attackers pick at the whole space system stack, from network protocol and protocol implementation weaknesses; social engineering, application, and operating system exploits; through to sending malicious commands. And now all of this can be automated, significantly increasing the likelihood of a successful attack.

ESA's answer to this situation is to deploy a solid defense-in-depth security posture, a fully security-certified end-to-end mission ground segment called Ground Operation System Common Core — Multi-Mission Generation (EGOS-MG). All elements of this system will be available to the European space industry under European community license and, if deployed in an appropriate environment, can provide a similar level of protection for commercial ground segments.

This system is complemented with a Space Cybersecurity Operations Centre (C-SOC), deployed at the European Space Operations Centre (ESOC) and the European Space Security and Education Centre (ESEC). C-SOC will start initial operations in 2024 and will provide the ability to detect and act on emerging cyberattacks to ESA's space system infrastructures. The C-SOC services will also be available to the European space industry.

**How Technologies Can Improve Public and Private Space Cybersecurity**

Artificial intelligence (AI) and digitalization have a profound impact on space cybersecurity. AI can greatly enhance cybersecurity capabilities related to pattern recognition and automated testing. In the case of the C-SOC, AI will help human staffers understand which detected anomaly is really a cyberattack and which is a false positive. Machine learning will help the C-SOC reduce the number of false positives over time and detect novel attack patterns that did not occur before.

Likewise, digitalization — in particular, model-based system engineering (MBSE) — has the potential to significantly improve the cybersecurity engineering process for a complex system by allowing efficient threat and risk assessment. For example, the digital model will help system and security engineers to immediately understand the impact of introducing a certain security control (e.g., the encryption of telemetry) on the overall system. It could be that this encryption control requires changes to other parts of the system or updates to the risk assessment that are not immediately apparent.

However, new technologies also bring new threats. AI is particularly vulnerable to cyberattacks in the form of data poisoning. It is essential that organizations that deploy these new technologies are aware of the increased number of threats they allow for.

The ESA Directorate of Operations is currently working with the European space industry to mature these capabilities in a secure manner as part of the ESA General Support Technology Programme (GSTP), which will benefit the ESA and industry alike.

**About the Author(s)**

Head of Ground Segment System and Cybersecurity Engineering, European Space Agency

Dr. Daniel Fischer is Head of Ground Segment System and Cybersecurity Engineering at the European Space Agency (ESA). Cybersecurity is now a key topic in the agency's technology development programs, which Dr. Fischer encourages businesses across Europe's space sector to explore and participate in.

The European Space Agency Explores Cybersecurity for Space Industry

October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This issue has been patched in 3.4.15.

**Impact**

An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.

This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.

**Patches**

This issue has been patched in v3.4.15.

**Workarounds**

As a workaround, remove the specified permissions from untrusted users.

**References**

Credits to:

*   Vasiliy Bodrov

**For more information**

If you have any questions or comments about this advisory:

*   Email us at hello@octobercms.com

CVE-2023-44382: Safe mode bypass using Twig sandbox escape

October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a special request to include PHP code in the CMS template. This issue has been patched in version 3.4.15.

**Impact**

An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can craft a special request to include PHP code in the CMS template.

This is not a problem for anyone who trusts their users with those permissions to usually write & manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.

**Patches**

This issue has been patched in v3.4.15.

**Workarounds**

As a workaround, remove the specified permissions from untrusted users.

**References**

Credits to:

*   Vasiliy Bodrov

**For more information**

If you have any questions or comments about this advisory:

*   Email us at hello@octobercms.com

Tag

#auth