CVSS: 9.1EPSS: 0%CPEs: 35EXPL: 0CVE-2023-29297 – Admin-to-admin stored XSS via cache poisoning
https://notcve.org/view.php?id=CVE-2023-29297
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-21618 – ZDI-CAN-20963: Adobe Substance 3D Designer SBS File Parsing Uninitialized Variable Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-21618
Adobe Substance 3D Designer version 12.4.1 (and earlier) is affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/substance3d_designer/apsb23-39.html • CWE-824: Access of Uninitialized Pointer •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-34448 – Grav Server-side Template Injection (SSTI) via Twig Default Filters
https://notcve.org/view.php?id=CVE-2023-34448
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`. Grav es un sistema de gestión de contenidos de archivos planos. Antes de la versión 1.7.42, el parche para CVE-2022-2073, una vulnerabilidad de inyección de plantillas del lado del servidor en Gray aprovechando la función predeterminada "filter()", no bloqueaba otras funciones integradas expuestas por la extensión principal de Twig que podían utilizarse para invocar funciones no seguras arbitrarias, permitiendo así la ejecución remota de código. • https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8 https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8 https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148 https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 2CVE-2023-34253 – Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass
https://notcve.org/view.php?id=CVE-2023-34253
Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist. • https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190 https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34252 – Grav Server-side Template Injection via Insufficient Validation in filterFilter
https://notcve.org/view.php?id=CVE-2023-34252
Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. • https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698 https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074 https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •