2 matches found
CVE-2023-34253 Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass
Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- 1 using unsafe functions that...
CVE-2023-34253
CVE-2023-34253 concerns Grav CMS before v1.7.42, where a weakened denylist for dangerous Twig functions allows a logged‑in admin with page creation/update rights (or a user with Admin login) to inject templates and achieve remote code execution. The vulnerability stems from multiple bypass pathwa...