CVE-2021-32649: 
PHP vulnerability analysis and mitigation

October CMS, a self-hosted content management system based on the Laravel PHP Framework, was found to contain a vulnerability (CVE-2021-32649) that affects versions prior to 1.0.473 and 1.1.6. The vulnerability allows attackers with backend privileges to execute PHP code through specially crafted Twig code in the template markup (GitHub Advisory).

The vulnerability is classified as a Code Injection (CWE-94) issue, which is a more specific variant of Improper Neutralization of Special Elements in Output Used by a Downstream Component (CWE-74). The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers with 'create, modify and delete website pages' privileges in the backend to execute arbitrary PHP code through template markup manipulation. This could potentially lead to complete system compromise with the same privileges as the web application (GitHub Advisory).

The vulnerability has been patched in October CMS versions 1.0.473 and 1.1.6. For users unable to upgrade immediately, a manual patch can be applied by implementing the changes from commit 167b592 (GitHub Commit).