CVE-2024-28119

HIGH

Grav < 1.7.45 - Code Injection

Title source: rule

Description

Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.

References (3)

Scores

CVSS v3 8.8
EPSS 0.0141
EPSS Percentile 80.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
getgrav/grav < 1.7.45
getgrav/grav 0 - 1.7.45Packagist
Published Mar 21, 2024
Tracked Since Feb 18, 2026