33 matches found
PT-2026-37278
Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description A stored Cross-Site Scripting XSS issue allows publisher-level accounts to execute arbitrary JavaScript. The problem is caused by a blacklist bypass in the detectXss function, which fails to...
EUVD-2022-0492
Malicious code in bioql PyPI...
CVE-2022-2073
Code Injection in GitHub repository getgrav/grav prior to 1.7.34...
Arbitrary Code Execution
getgrav/grav is vulnerable to Arbitrary Code Execution. This vulnerability is due to improper validation of accessible functions through the Utils::isDangerousFunction and the lack of restrictions on twig functions like twigarraymap, allowing attackers to bypass the validation and execute arbitra...
Insufficient Permission Validation
getgrav/grav is vulnerable to Insufficient Permission Validation. The vulnerability is due to enabling regular users with page creation privileges to access the Frontmatter feature when the datajsonheaderform parameter is included in the POST body while creating a page. The vulnerability is also...
Server-Side Template Injection (SSTI)
getgrav/grav is vulnerable to Server-Side Template Injection SSTI. The vulnerability exists because the Filter function of GravExtension.php does not properly block the other built-in functions exposed by Twig's Core Extension, which allows an attacker to invoke arbitrary unsafe functions, leadin...
Remote Code Execution
getgrav/grav is vulnerable to remote code execution. An authenticated remote attacker is able to cause server side template injection via Twig which renders risky functions by default, such as system...
CVE-2022-2073
Code Injection in GitHub repository getgrav/grav prior to 1.7.34...
Code injection
Code Injection in GitHub repository getgrav/grav prior to 1.7.34...
CVE-2022-2073 Code Injection in getgrav/grav
Code Injection in GitHub repository getgrav/grav prior to 1.7.34...
CVE-2022-2073
CVE-2022-2073 is a Grav SSTI vulnerability in getgrav/grav prior to 1.7.34 where the Twig filter function could be abused to trigger unsafe calls. Grav patched filter() in 1.7.34, but attackers could still abuse other Twig core filters (e.g., map/reduce) to reach remote code execution unless thos...
CVE-2022-2073 Code Injection in getgrav/grav
Code Injection in GitHub repository getgrav/grav prior to 1.7.34...
PT-2022-14839 · Unknown · Getgrav/Grav
Name of the Vulnerable Software and Affected Versions: getgrav/grav versions prior to 1.7.34 Description: The issue concerns Server Side Template Injection via Twig, where Twig should not render dangerous functions by default, such as system. This is related to Code Injection in the GitHub...
CVE-2022-1173
stored xss in GitHub repository getgrav/grav prior to 1.7.33...
Cross site scripting
stored xss in GitHub repository getgrav/grav prior to 1.7.33...
Cross-Site Scripting (XSS)
getgrav/grav is vulnerable to stored cross-site scripting. The vulnerability exists due to lack of xss validations for uploaded SVG files before they get stored which allows an attacker to inject and execute arbitrary javascript...
CVE-2022-0970
Cross-site Scripting XSS - Stored in GitHub repository getgrav/grav prior to 1.7.31...
CVE-2022-0970 Cross-site Scripting (XSS) - Stored in getgrav/grav
Cross-site Scripting XSS - Stored in GitHub repository getgrav/grav prior to 1.7.31...
CVE-2022-0743
Cross-site Scripting XSS - Stored in GitHub repository getgrav/grav prior to 1.7.31...
CVE-2022-0743 Cross-site Scripting (XSS) - Stored in getgrav/grav
Cross-site Scripting XSS - Stored in GitHub repository getgrav/grav prior to 1.7.31...