CVE-2024-27923

Опубликовано: 21 мар. 2024

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the frontmatter feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.

Ссылки

https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07
Patch
https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v
Exploit
Vendor Advisory
https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07
Patch
https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*

Версия до 1.7.43 (исключая)

EPSS

Процентиль: 91%

0.07188

Низкий

8.8 High

CVSS3

Дефекты

CWE-287

CWE-434

Связанные уязвимости

GHSA-f6g2-h7qv-3m5v

github

почти 2 года назад

Remote Code Execution by uploading a phar file using frontmatter