cbcvebase.

Getgrav Grav Cms vulnerabilities

5 known vulnerabilities affecting getgrav/grav_cms.

Total CVEs
5
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2018-5233P3MEDIUMCVSS 6.1PoCfixed in 1.3.02018-03-19
CVE-2018-5233 [MEDIUM] CWE-79 CVE-2018-5233: Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
nvd
CVE-2020-29555P3HIGHCVSS 8.1fixed in 1.7.0v1.7.02021-03-15
CVE-2020-29555 [HIGH] CWE-22 CVE-2020-29555: The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to d The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
nvd
CVE-2020-29553P3HIGHCVSS 8.8≤ 1.6.31v1.7.02021-03-15
CVE-2020-29553 [HIGH] CWE-352 CVE-2020-29553: The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tric The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF).
nvd
CVE-2020-29556P4MEDIUMCVSS 5.5fixed in 1.7.0v1.7.02021-03-15
CVE-2020-29556 [MEDIUM] CWE-22 CVE-2020-29556: The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read ar The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
nvd
CVE-2019-16126P4MEDIUMCVSS 6.1≤ 1.6.152019-09-09
CVE-2019-16126 [MEDIUM] CWE-79 CVE-2019-16126: Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images. Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.
nvd
Getgrav Grav Cms vulnerabilities | cvebase