Grav vulnerability allows arbitrary code execution and elevated privileges
CVE-2024-28117

8.8HIGH

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 21 March 2024

What is CVE-2024-28117?

Grav is an open-source, flat-file content management system that has a critical vulnerability allowing potential attackers to execute arbitrary commands. This issue arises from the lack of restrictions on certain Twig functions, specifically when administrative users enable Twig processing of static pages in the front matter. As the Utils::isDangerousFunction does not adequately validate all accessible functions, this misconfiguration creates an opportunity for unauthorized command execution. Upgrading to Grav version 1.7.45 or later is essential for mitigating the risks associated with this vulnerability.

Affected Version(s)

grav < 1.7.45

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/de1ccfa12dbcbf5261...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 21, 2024
Vulnerability Reserved
Mar 4, 2024

JSON

Getgrav

What is CVE-2024-28117?

Affected Version(s)

References

CVSS V3.1

Timeline