CVE-2023-34251

Опубликовано: 14 июн. 2023

Источник: nvd

CVSS3: 9.9

CVSS3: 7.2

EPSS Низкий

Описание

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.

Ссылки

https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174
Vendor Advisory
https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5
Patch
https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5
Exploit
Vendor Advisory
https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174
Vendor Advisory
https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5
Patch
https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*

Версия до 1.7.42 (исключая)

EPSS

Процентиль: 85%

0.02535

Низкий

9.9 Critical

CVSS3

7.2 High

CVSS3

Дефекты

CWE-94

Связанные уязвимости

GHSA-f9jf-4cp4-4fq5

CVSS3: 9.1

github

больше 2 лет назад

Grav Server Side Template Injection (SSTI) vulnerability

EPSS

Процентиль: 85%

0.02535

Низкий

9.9 Critical

CVSS3

7.2 High

CVSS3

Дефекты

CWE-94