Vulnerability Description
Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Getgrav | Grav | < 1.7.42 |
Related Weaknesses (CWE)
References
- https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/ExtensiVendor Advisory
- https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5Patch
- https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5ExploitVendor Advisory
- https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/ExtensiVendor Advisory
- https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5Patch
- https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5ExploitVendor Advisory
FAQ
What is CVE-2023-34251?
CVE-2023-34251 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the admin...
How severe is CVE-2023-34251?
CVE-2023-34251 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-34251?
Check the references section above for vendor advisories and patch information. Affected products include: Getgrav Grav.