Incomplete List of Disallowed Inputs Affecting getgrav/grav package, versions <1.7.42


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
1.53% (88th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-GETGRAVGRAV-5710381
  • published15 Jun 2023
  • disclosed15 Jun 2023
  • creditRenan Rocha

Introduced: 15 Jun 2023

CVE-2023-34253  (opens in a new tab)
CWE-184  (opens in a new tab)

How to fix?

Upgrade getgrav/grav to version 1.7.42 or higher.

Overview

getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS.

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs. The denylist which is used to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways: (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low-privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution.

PoC

{{['cat\x20/etc/passwd']|filter('system')}}

CVSS Scores

version 3.1