CVE-2024-27921 – Grav File Upload Path Traversal vulnerability
https://notcve.org/view.php?id=CVE-2024-27921
Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue. Grav es un sistema de gestión de contenidos de archivos planos de código abierto. • https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99 https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-27923 – Remote Code Execution by uploading a phar file using frontmatter
https://notcve.org/view.php?id=CVE-2024-27923
Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue. Grav es un sistema de gestión de contenidos (CMS). • https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07 https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v • CWE-287: Improper Authentication CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-31506
https://notcve.org/view.php?id=CVE-2023-31506
A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute arbitrary web scripts or HTML via the onmouseover attribute of an ISINDEX element. Una vulnerabilidad de cross-site scripting (XSS) en las versiones de Grav 1.7.44 y anteriores permite a atacantes remotos autenticados ejecutar scripts web o HTML arbitrarios a través del atributo onmouseover de un elemento ISINDEX. • https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-37897 – Server-side Template Injection (SSTI) in grav
https://notcve.org/view.php?id=CVE-2023-37897
Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\`). The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\` symbol is found in the `$name`. This vulnerability can be exploited if the attacker has access to: 1. an Administrator account, or 2. a non-administrator, user account that has Admin panel access and Create/Update page permissions. • https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7 https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-393: Return of Wrong Status Code •