Lucene search

Grav's Twig processing allowing dangerous PHP functions by default

🗓️ 16 Apr 2021 19:12:53Reported by GitHub Advisory DatabaseType

github🔗 github.com👁 106 Views

Grav's Twig processing allows arbitrary PHP functions, leading to code execution and privilege escalation

Reporter	Title	Published	Views	Family All 13
Veracode	Remote Code Execution	19 Apr 202109:30	–	veracode
CVE	CVE-2021-29440	13 Apr 202120:15	–	cve
Packet Storm	Grav CMS 1.7.10 Server-Side Template Injection	7 Jun 202100:00	–	packetstorm
0day.today	Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) Exploit	7 Jun 202100:00	–	zdt
NVD	CVE-2021-29440	13 Apr 202120:15	–	nvd
CNVD	Grav Code Injection Vulnerability	6 May 202100:00	–	cnvd
OSV	Grav's Twig processing allowing dangerous PHP functions by default	16 Apr 202119:53	–	osv
GithubExploit	Exploit for Code Injection in Getgrav Grav	6 Jun 202100:51	–	githubexploit
Check Point Advisories	Grav CMS Command Injection (CVE-2021-29440)	24 Jun 202100:00	–	checkpoint_advisories
Prion	Design/Logic Flaw	13 Apr 202120:15	–	prion

Vulners

Node

getgrav gravRange≤1.7.10

Source	Link
github	www.github.com/getgrav/grav/security/advisories/GHSA-g8r4-p96j-xfxc
packagist	www.packagist.org/packages/getgrav/grav
nvd	www.nvd.nist.gov/vuln/detail/CVE-2021-29440
packetstormsecurity	www.packetstormsecurity.com/files/162987/Grav-CMS-1.7.10-Server-Side-Template-Injection.html
blog	www.blog.sonarsource.com/grav-cms-code-execution-vulnerabilities
github	www.github.com/advisories/GHSA-g8r4-p96j-xfxc

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

16 Apr 2021 19:53Current

2.2Low risk

Vulners AI Score2.2

CVSS26.5

CVSS37.2 - 8.4

EPSS0.09769

CWE-94