GMS-2022-3144: Bypass of CMS Safe Mode Security Feature

July 15, 2022 (updated July 16, 2022)

Authenticated users with permissions to create or modify theme template objects through the backend CMS editor can exploit this vulnerability to bypass the cms.enableSafeMode security feature if enabled (disables modification of PHP code through the web interface when enabled). This is only an issue for Winter CMS instances that rely on the Safe Mode security feature to prevent privileged users from modifying the PHP code of CMS theme template objects through the web interface.

References

github.com/advisories/GHSA-q37h-jhf3-85cj
github.com/wintercms/winter/security/advisories/GHSA-q37h-jhf3-85cj

Code Behaviors & Features

Detect and mitigate GMS-2022-3144 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →