CVE-2021-21425
published 2021-04-07CVE-2021-21425: Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.47%
99.6th percentile
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav-plugin-admin | < 1.10.8 | 1.10.8 |
| getgrav | grav-plugin-admin | <= 1.10.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag presence of 'admin-nonce' hidden form field in GET responses from /admin — its presence indicates a vulnerable (≤1.10.7) instance; its absence (replaced by 'login-nonce') indicates a patched instance. ↗
- →Monitor for creation or modification of user/config/scheduler.yaml on the filesystem, especially entries adding new custom_jobs with a 'command' key pointing to a shell or interpreter binary. ↗
- →Detect scheduler-triggered PHP command execution: look for web-server-user processes spawning /usr/bin/php with a -r flag (inline code execution), particularly with base64-encoded payloads. ↗
- →Alert on unauthenticated sessions (no valid auth cookie) that successfully set a grav-site-*-admin cookie and then immediately POST to /admin/config/scheduler — this matches the exploit's two-step cookie-capture-then-exploit flow. ↗
- ·The exploit uses a cron-based execution model (every minute); detection or remediation may have up to a 60-second delay window before the payload fires. ↗
- ·The Metasploit module's default payload is php/meterpreter/reverse_tcp encoded with php/base64; detections relying on plaintext PHP payload content will miss this encoding. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Exploit-DB
GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)
exploitdb·2021-04-21
CVE-2021-21425 GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)
GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'GravCMS Remote Command Execution',
'Description' => %q{
This module exploits arbitrary config write/update vulnerability to achieve remote code execution.
Unauthenticated users can execute a terminal command under the context of the web server user.
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages.
In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without
needing any credentials. Particular method execution will result in arbitrary YAML fi
Metasploit
GravCMS Remote Command Execution
metasploit
GravCMS Remote Command Execution
GravCMS Remote Command Execution
This module exploits arbitrary config write/update vulnerability to achieve remote code execution. Unauthenticated users can execute a terminal command under the context of the web server user. Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulne
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162283/GravCMS-1.10.7-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162457/GravCMS-1.10.7-Remote-Command-Execution.htmlhttps://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pjhttps://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/http://packetstormsecurity.com/files/162283/GravCMS-1.10.7-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162457/GravCMS-1.10.7-Remote-Command-Execution.htmlhttps://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pjhttps://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/
2021-04-07
Published