Listen to this Post
A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler’s import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled.
– The vulnerability exists because the CMS allows uploading and editing of CSS preprocessor files (.less, .sass, .scss) even when safe mode is active.
– These files are processed by server-side compilers (like less.php, scssphp) that handle `@import` directives.
– An attacker with backend Editor permissions can create a malicious preprocessor file containing an `@import` statement pointing to a sensitive local file (e.g., @import "file:///etc/passwd").
– When the CMS compiles the malicious file, the compiler follows the import and reads the contents of the targeted local file.
– The file’s content is then included in the compiled CSS output, which can be retrieved by the attacker, leading to information disclosure.
– This bypass works even when `cms.safe_mode` is enabled, as the preprocessor compilers are not restricted by the safe mode configuration.
– The vulnerability is distinct from direct PHP injection, which is already possible when safe mode is disabled.
– It requires authenticated backend access and the “Editor” permission level, limiting the attack surface.
– The issue affects all versions prior to the patched releases (v3.7.14 and v4.1.10).
– The fix prevents the creation, upload, or editing of .less, .sass, and .scss files when `cms.safe_mode` is enabled, blocking the attack vector at the source.
dailycve form:
Platform: October CMS
Version: <3.7.14,<4.1.10
Vulnerability : Safe Mode Bypass
Severity: Medium
date: 2026-04-21
Prediction: 2026-04-21
Analytics under heading What Undercode Say:
Check if your October CMS version is vulnerable
php artisan october:version
Find all .less, .sass, .scss files in your project
find ./ -type f ( -name ".less" -o -name ".sass" -o -name ".scss" )
Search for potential malicious imports in those files
grep -r "@import" --include=".{less,sass,scss}" ./
Exploit:
An authenticated Editor user can:
- Navigate to the CMS editor or media manager.
- Create a new .less file with the following content:
@import "file:///etc/passwd";
- Save the file and trigger its compilation (e.g., by viewing the corresponding page).
- The server’s response will include the contents of `/etc/passwd` within the CSS output.
Protection from this CVE
- Immediate Upgrade: Update to October CMS v3.7.14 or v4.1.10 or later.
- Workaround 1: Set `cms.editable_asset_types` config to `[‘css’, ‘js’]` to remove preprocessor file types from the editor.
- Workaround 2: Restrict Editor tool access to fully trusted administrators only.
- Prevention: Disable `cms.safe_mode` only if untrusted template editing is not a concern (but note this enables direct PHP injection).
- Monitoring: Audit backend access logs for unusual file creation or modification activity.
Impact
- Information Disclosure: Attackers can read arbitrary files from the server, including sensitive configuration files, database credentials, and application secrets.
- Privilege Escalation: The disclosed information can be used to pivot to more severe attacks.
- Availability: No direct impact on availability, but successful exploitation can lead to full system compromise.
- Scope: Only affects instances where `cms.safe_mode` is enabled and authenticated Editor users exist.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

