CVE-2024-27921
HIGHGrav < 1.7.45 - Path Traversal and Arbitrary File Write via File Upload
Title source: llmDescription
Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc
Patch x_refsource_misc
https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99
Scores
CVSS v3
8.8
EPSS
0.6058
EPSS Percentile
99.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (2)
getgrav/grav
< 1.7.45
getgrav/grav
0 - 1.7.45Packagist
Published
Mar 21, 2024
Tracked Since
Feb 18, 2026