← Back

Grav Cms

grav_cms

Vendor: Getgrav • 5 CVEs

CVEs (5)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2020-29553
1Getgrav
1Grav Cms
Nov 21, 2024
Mar 15, 2021
N/A· v4
8.8 HIGH· v3
5.1 MEDIUM· v2
The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF).
CVE-2020-29556
1Getgrav
1Grav Cms
Nov 21, 2024
Mar 15, 2021
N/A· v4
5.5 MEDIUM· v3
2.1 LOW· v2
The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be e...Show more
The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)Show less
CVE-2020-29555
1Getgrav
1Grav Cms
Nov 21, 2024
Mar 15, 2021
N/A· v4
8.1 HIGH· v3
5.5 MEDIUM· v2
The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be...Show more
The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)Show less
CVE-2019-16126
1Getgrav
1Grav Cms
Nov 21, 2024
Sep 9, 2019
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.
CVE-2018-5233
1Getgrav
1Grav Cms
Nov 21, 2024
Mar 19, 2018
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.