CVE-2021-32650: 
PHP vulnerability analysis and mitigation

October CMS, a self-hosted content management system based on the Laravel PHP Framework, contained a vulnerability (CVE-2021-32650) that allowed attackers with backend access to execute arbitrary PHP code through the theme import feature, bypassing the safe mode feature that prevents PHP execution in CMS templates. The vulnerability was discovered in versions 1.0.472 and 1.1.5, and was patched in versions 1.0.473 and 1.1.6 (GitHub Advisory).

The vulnerability existed in the theme import functionality of October CMS. The issue allowed authenticated users to bypass the CMS safe mode feature, which is designed to prevent PHP code execution in CMS templates. The vulnerability was related to insufficient security checks in the theme import process, allowing malicious code to be executed despite safe mode being enabled (GitHub Commit).

An attacker with backend access could execute arbitrary PHP code on the server by exploiting the theme import feature. This bypass of the safe mode security feature could potentially lead to full server compromise, depending on the server configuration and permissions (GitHub Advisory).

The issue was patched in October CMS versions 1.0.473 and 1.1.6. For users unable to upgrade, the fix can be applied manually by implementing the changes from commit 167b592. The patch adds additional security checks to prevent theme import operations when safe mode is enabled (GitHub Advisory, GitHub Commit).