2 matches found
CVE-2023-34252 Grav Server-side Template Injection via Insufficient Validation in filterFilter
Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the GravExtension.filterFilter function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a...
CVE-2023-34252
CVE-2023-34252 — Grav SSTI (GravExtension.filterFilter) grav CMS versions prior to 1.7.42 contain a logic flaw in GravExtension.filterFilter() where unsafe-function validation runs only for string arrows; passing an array as a callable bypasses the check, enabling authenticated admin users with p...