cbcvebase.
CVE-2021-21425
published 2021-04-07

CVE-2021-21425: Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.47%
99.6th percentile
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround.

Affected

2 ranges
VendorProductVersion rangeFixed in
getgravgrav-plugin-admin< 1.10.81.10.8
getgravgrav-plugin-admin<= 1.10.7

Detection & IOCsextracted from sources · hover to see the quote

url/admin
url/admin/config/scheduler
cookiegrav-site-[a-z0-9]+-admin
otheradmin-nonce
commandtask=SaveDefault
pathuser/config/scheduler.yaml
  • Flag presence of 'admin-nonce' hidden form field in GET responses from /admin — its presence indicates a vulnerable (≤1.10.7) instance; its absence (replaced by 'login-nonce') indicates a patched instance.
  • Monitor for creation or modification of user/config/scheduler.yaml on the filesystem, especially entries adding new custom_jobs with a 'command' key pointing to a shell or interpreter binary.
  • Detect scheduler-triggered PHP command execution: look for web-server-user processes spawning /usr/bin/php with a -r flag (inline code execution), particularly with base64-encoded payloads.
  • Alert on unauthenticated sessions (no valid auth cookie) that successfully set a grav-site-*-admin cookie and then immediately POST to /admin/config/scheduler — this matches the exploit's two-step cookie-capture-then-exploit flow.
  • ·The exploit uses a cron-based execution model (every minute); detection or remediation may have up to a 60-second delay window before the payload fires.
  • ·The Metasploit module's default payload is php/meterpreter/reverse_tcp encoded with php/base64; detections relying on plaintext PHP payload content will miss this encoding.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.