exploitDog

CVE-2021-47812

Опубликовано: 16 янв. 2026

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution.

Ссылки

https://getgrav.org
Product
https://www.exploit-db.com/exploits/49973
Exploit
https://www.vulncheck.com/advisories/gravcms-arbitrary-yaml-writeupdate-unauthenticated
Third Party Advisory
https://www.exploit-db.com/exploits/49973
Exploit

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:getgrav:grav:1.10.7:*:*:*:*:*:*:*

EPSS

Процентиль: 51%

0.00276

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-862

Связанные уязвимости

GHSA-474v-g7v9-75hp

CVSS3: 7.5

github

23 дня назад

GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution.

EPSS

Процентиль: 51%

0.00276

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-862