CVE-2023-34452 – Grav vulnerable to Self Cross Site Scripting in /forgot_password
https://notcve.org/view.php?id=CVE-2023-34452
Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can potentially allow an attacker to execute arbitrary code on the user's browser, the impact is limited as it requires user interaction to trigger the vulnerability. As of time of publication, a patch is not available. Server-side validation should be implemented to prevent this vulnerability. • https://github.com/getgrav/grav/security/advisories/GHSA-xcr8-cc2j-62fc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-34448 – Grav Server-side Template Injection (SSTI) via Twig Default Filters
https://notcve.org/view.php?id=CVE-2023-34448
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`. Grav es un sistema de gestión de contenidos de archivos planos. Antes de la versión 1.7.42, el parche para CVE-2022-2073, una vulnerabilidad de inyección de plantillas del lado del servidor en Gray aprovechando la función predeterminada "filter()", no bloqueaba otras funciones integradas expuestas por la extensión principal de Twig que podían utilizarse para invocar funciones no seguras arbitrarias, permitiendo así la ejecución remota de código. • https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8 https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8 https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148 https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2023-34253 – Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass
https://notcve.org/view.php?id=CVE-2023-34253
Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist. • https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190 https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2023-34252 – Grav Server-side Template Injection via Insufficient Validation in filterFilter
https://notcve.org/view.php?id=CVE-2023-34252
Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. • https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698 https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074 https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2023-34251 – Grav Server Side Template Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-34251
Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue. • https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174 https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5 https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5 • CWE-94: Improper Control of Generation of Code ('Code Injection') •