CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 2CVE-2023-34253 – Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass
https://notcve.org/view.php?id=CVE-2023-34253
Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist. • https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190 https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34252 – Grav Server-side Template Injection via Insufficient Validation in filterFilter
https://notcve.org/view.php?id=CVE-2023-34252
Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. • https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698 https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074 https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34251 – Grav Server Side Template Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-34251
Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue. • https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174 https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5 https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2073 – Code Injection in getgrav/grav
https://notcve.org/view.php?id=CVE-2022-2073
Code Injection in GitHub repository getgrav/grav prior to 1.7.34. Una Inyección de Código en el repositorio GitHub getgrav/grav versiones anteriores a 1.7.34 • https://github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1173 – stored xss in getgrav/grav
https://notcve.org/view.php?id=CVE-2022-1173
stored xss in GitHub repository getgrav/grav prior to 1.7.33. Una vulnerabilidad de tipo xss almacenado en el repositorio de GitHub getgrav/grav versiones anteriores a 1.7.33 • https://github.com/getgrav/grav/commit/1c0ed43afa5dc14169e6aa693b38e1a2f7aecad9 https://huntr.dev/bounties/b6016e95-9f48-4945-89cb-199b6e072218 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •