CVE-2023-34251

Published: Jun 14, 2023Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.

Affected (1)

Products: Getgrav: Grav

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Getgrav Grav	Before 1.7.42

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174

Source: security-advisories@github.com

Vendor Advisory

https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5

Source: security-advisories@github.com

Patch

https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.