Vulners
Lucene search
CVE-2021-21425
🗓️ 07 Apr 2021 18:20:13Reported by GitHub_MType 
cve🔗 web.nvd.nist.gov📰️ 7 Media mentions👁 150 Views🌐 WEB
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | GravCMS 1.10.7 - Unauthenticated Arbitrary YAML Write/Update Exploit | 21 Apr 202100:00 | – | zdt |
| GravCMS 1.10.7 Remote Command Execution Exploit | 4 May 202100:00 | – | zdt |
 | Exploit for Improper Access Control in Getgrav Grav-Plugin-Admin | 15 May 202617:42 | – | githubexploit |
| Exploit for Improper Access Control in Getgrav Grav-Plugin-Admin | 13 Nov 202400:30 | – | githubexploit |
| Exploit for Improper Access Control in Getgrav Grav-Plugin-Admin | 21 Jan 202604:45 | – | githubexploit |
 | CVE-2021-21425 | 21 Apr 202100:00 | – | circl |
 | Grav 安全漏洞 | 7 Apr 202100:00 | – | cnnvd |
 | CVE-2021-21425 Unauthenticated Arbitrary YAML Write/Update leads to Code Execution | 7 Apr 202118:20 | – | cvelist |
 | GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) | 21 Apr 202100:00 | – | exploitdb |
 | GravCMS Remote Command Execution | 4 May 202117:41 | – | metasploit |
10
Node
[
{
"product": "grav-plugin-admin",
"vendor": "getgrav",
"versions": [
{
"status": "affected",
"version": "<= 1.10.7"
}
]
}
]| Parameter | Position | Path | Description | CWE |
|---|---|---|---|---|
| admin-nonce | path | admin | Unauthenticated access to Grav Admin UI to obtain admin nonce/cookie for further exploitation. | CWE-284 |
| cookie | path | admin | Unauthenticated access to Grav Admin UI to obtain admin nonce/cookie for further exploitation. | CWE-284 |
| hidden inputs | path | admin | Unauthenticated access to Grav Admin UI to obtain admin nonce/cookie for further exploitation. | CWE-284 |
| data[custom_jobs][<name>][command] | request body | admin/config/scheduler | Scheduler configuration write enables arbitrary command execution by adding a custom_job that runs a shell command, enabling RCE. | CWE-284 |
| data[custom_jobs][<name>][args] | request body | admin/config/scheduler | Scheduler configuration write enables arbitrary command execution by adding a custom_job that runs a shell command, enabling RCE. | CWE-284 |
| data[custom_jobs][<name>][at] | request body | admin/config/scheduler | Scheduler configuration write enables arbitrary command execution by adding a custom_job that runs a shell command, enabling RCE. | CWE-284 |
| data[custom_jobs][<name>][output] | request body | admin/config/scheduler | Scheduler configuration write enables arbitrary command execution by adding a custom_job that runs a shell command, enabling RCE. | CWE-284 |
| data[status][<name>] | request body | admin/config/scheduler | Scheduler configuration write enables arbitrary command execution by adding a custom_job that runs a shell command, enabling RCE. | CWE-284 |
| data[custom_jobs][<name>][output_mode] | request body | admin/config/scheduler | Scheduler configuration write enables arbitrary command execution by adding a custom_job that runs a shell command, enabling RCE. | CWE-284 |
| admin-nonce | request body | admin/config/scheduler | Scheduler configuration write enables arbitrary command execution by adding a custom_job that runs a shell command, enabling RCE. | CWE-284 |
10
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Nov 2024 05:48Current
9.4High risk
Vulners AI Score9.4
CVSS 27.5
CVSS 3.19.3 - 9.8
EPSS0.91639