6 matches found
CVE-2022-2073
Code Injection in GitHub repository getgrav/grav prior to 1.7.34...
Server-side Template Injection(SSTI)
getgrav/grav is vulnerable to Server-side Template Injection SSTI. An authenticated remote attacker is able to cause server side template injection via the Twig engine which renders risky functions by default, such as system. Insufficient fix in addressing CVE-2022-2073 allows the bypass of the...
GHSA-WHR7-M3F8-MPM8 Grav Server-side Template Injection (SSTI) via Twig Default Filters
Hi, actually we have sent the bug report to [email protected] on 27th March 2023 and on 10th April 2023. Grav Server-side Template Injection SSTI via Twig Default Filters Summary: | Product | Grav CMS | | ----------------------- | --------------------------------------------- | | Vendor | Grav...
Grav Server-side Template Injection (SSTI) via Twig Default Filters
Hi, actually we have sent the bug report to [email protected] on 27th March 2023 and on 10th April 2023. Grav Server-side Template Injection SSTI via Twig Default Filters Summary: | Product | Grav CMS | | ----------------------- | --------------------------------------------- | | Vendor | Grav...
Design/Logic Flaw
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default filter function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke...
CVE-2022-2073
CVE-2022-2073 is a Grav SSTI vulnerability in getgrav/grav prior to 1.7.34 where the Twig filter function could be abused to trigger unsafe calls. Grav patched filter() in 1.7.34, but attackers could still abuse other Twig core filters (e.g., map/reduce) to reach remote code execution unless thos...