CVE-2024-34082 – Grav Arbitrary File Read to Account Takeover
https://notcve.org/view.php?id=CVE-2024-34082
Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account and read any file in the web server by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. • https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348 https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69 • CWE-269: Improper Privilege Management •
CVE-2024-28119 – Grav vulnerable to Server Side Template Injection (SSTI) via Twig escape handler
https://notcve.org/view.php?id=CVE-2024-28119
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue. • https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58 https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-28118 – Grav vulnerable to Server Side Template Injection (SSTI)
https://notcve.org/view.php?id=CVE-2024-28118
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. • https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-28117 – Grav vulnerable to Server Side Template Injection (SSTI)
https://notcve.org/view.php?id=CVE-2024-28117
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Upgrading to patched version 1.7.45 can mitigate this issue. • https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-28116 – Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass
https://notcve.org/view.php?id=CVE-2024-28116
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue. Grav es un sistema de gestión de contenidos de archivos planos de código abierto. Grav CMS anterior a la versión 1.7.45 es vulnerable a una inyección de plantilla del lado del servidor (SSTI), que permite a cualquier usuario autenticado (los permisos del editor son suficientes) ejecutar código arbitrario en el servidor remoto sin pasar por el entorno limitado de seguridad existente. • https://github.com/geniuszlyy/GenGravSSTIExploit https://github.com/akabe1/Graver https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •