cbcvebase.
CVE-2024-27921
published 2024-03-21

CVE-2024-27921: Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version…

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
60.59%
99.0th percentile
Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
getgravgrav< 1.7.451.7.45
getgravgrav>= 0 < 1.7.451.7.45
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.