CVE-2023-34251

moderate-risk

Published 2023-06-14

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.

Do I need to act?

2.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: dc209453d0817547db0d3a8b27110decb63f2b5d

CVSS 9.9/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Grav

Affected Vendors

Getgrav

References (6)

Vendor Advisory https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extensi...

Patch https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5

Exploit https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5

Vendor Advisory https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extensi...

Patch https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5

Exploit https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 6/34 · Minimal

Exposure 5/34 · Minimal