CVE-2024-27923

Published: Mar 21, 2024Modified: Jan 2, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.

Affected (1)

Products: Getgrav: Grav

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Getgrav Grav	Before 1.7.43

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07

Source: security-advisories@github.com

Patch

https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.