Vendor CVEs
Getgrav
All CVEs
70 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-28116 | 0.00 | — | 0.06 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server… | |||
| CVE-2024-27921 | 0.00 | — | 0.61 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical… | |||
| CVE-2024-27923 | 0.00 | — | 0.01 | Mar 6, 2024 | Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue. | |||
| CVE-2023-37897 | 0.00 | — | 0.02 | Jul 18, 2023 | Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due… | |||
| CVE-2023-34452 | 0.00 | — | 0.01 | Jun 14, 2023 | Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can… | |||
| CVE-2023-34448 | 0.00 | — | 0.05 | Jun 14, 2023 | Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that… | |||
| CVE-2023-34253 | 0.00 | — | 0.02 | Jun 14, 2023 | Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using… | |||
| CVE-2023-34252 | 0.00 | — | 0.02 | Jun 14, 2023 | Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However,… | |||
| CVE-2023-34251 | 0.00 | — | 0.02 | Jun 14, 2023 | Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains… | |||
| CVE-2022-2073 | 0.00 | — | 0.10 | Jun 29, 2022 | Code Injection in GitHub repository getgrav/grav prior to 1.7.34. | |||
| CVE-2022-1173 | 0.00 | — | 0.01 | Apr 26, 2022 | stored xss in GitHub repository getgrav/grav prior to 1.7.33. | |||
| CVE-2022-0970 | 0.00 | — | 0.02 | Mar 15, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. | |||
| CVE-2022-0743 | 0.00 | — | 0.01 | Feb 28, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. | |||
| CVE-2022-0268 | 0.00 | — | 0.01 | Jan 25, 2022 | Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28. | |||
| CVE-2021-3920 | 0.00 | — | 0.01 | Nov 19, 2021 | grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-3924 | 0.00 | — | 0.04 | Nov 5, 2021 | grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |||
| CVE-2021-3904 | 0.00 | — | 0.01 | Oct 27, 2021 | grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-3818 | 0.00 | — | 0.02 | Sep 27, 2021 | grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking | |||
| CVE-2021-3799 | 0.00 | — | 0.02 | Sep 27, 2021 | grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames | |||
| CVE-2021-29439 | 0.00 | — | 0.03 | Apr 13, 2021 | The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary… |
- CVE-2024-28116Mar 21, 2024risk 0.00cvss —epss 0.06
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server…
- CVE-2024-27921Mar 21, 2024risk 0.00cvss —epss 0.61
Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical…
- CVE-2024-27923Mar 6, 2024risk 0.00cvss —epss 0.01
Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.
- CVE-2023-37897Jul 18, 2023risk 0.00cvss —epss 0.02
Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due…
- CVE-2023-34452Jun 14, 2023risk 0.00cvss —epss 0.01
Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can…
- CVE-2023-34448Jun 14, 2023risk 0.00cvss —epss 0.05
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that…
- CVE-2023-34253Jun 14, 2023risk 0.00cvss —epss 0.02
Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using…
- CVE-2023-34252Jun 14, 2023risk 0.00cvss —epss 0.02
Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However,…
- CVE-2023-34251Jun 14, 2023risk 0.00cvss —epss 0.02
Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains…
- CVE-2022-2073Jun 29, 2022risk 0.00cvss —epss 0.10
Code Injection in GitHub repository getgrav/grav prior to 1.7.34.
- CVE-2022-1173Apr 26, 2022risk 0.00cvss —epss 0.01
stored xss in GitHub repository getgrav/grav prior to 1.7.33.
- CVE-2022-0970Mar 15, 2022risk 0.00cvss —epss 0.02
Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.
- CVE-2022-0743Feb 28, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.
- CVE-2022-0268Jan 25, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28.
- CVE-2021-3920Nov 19, 2021risk 0.00cvss —epss 0.01
grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3924Nov 5, 2021risk 0.00cvss —epss 0.04
grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CVE-2021-3904Oct 27, 2021risk 0.00cvss —epss 0.01
grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3818Sep 27, 2021risk 0.00cvss —epss 0.02
grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking
- CVE-2021-3799Sep 27, 2021risk 0.00cvss —epss 0.02
grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames
- CVE-2021-29439Apr 13, 2021risk 0.00cvss —epss 0.03
The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary…
Page 2 of 2