CVE-2023-37897
Server-side Template Injection (SSTI) in grav
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\`). The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\` symbol is found in the `$name`. This vulnerability can be exploited if the attacker has access to: 1. an Administrator account, or 2. a non-administrator, user account that has Admin panel access and Create/Update page permissions. A fix for this vulnerability has been introduced in commit `b4c6210` and is included in release version `1.7.42.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-07-10 CVE Reserved
- 2023-07-18 CVE Published
- 2024-07-24 EPSS Updated
- 2024-10-18 CVE Updated
- 2024-10-18 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-393: Return of Wrong Status Code
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b | Product |
URL | Date | SRC |
---|---|---|
https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53 | 2024-10-18 |
URL | Date | SRC |
---|---|---|
https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7 | 2023-07-28 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Getgrav Search vendor "Getgrav" | Grav Search vendor "Getgrav" for product "Grav" | 1.7.42 Search vendor "Getgrav" for product "Grav" and version "1.7.42" | - |
Affected
| ||||||
Getgrav Search vendor "Getgrav" | Grav Search vendor "Getgrav" for product "Grav" | 1.7.42.1 Search vendor "Getgrav" for product "Grav" and version "1.7.42.1" | - |
Affected
|