CVE-2021-47812

Name of the Vulnerable Software and Affected Versions GravCMS version 1.10.7

Description GravCMS version 1.10.7 has an issue allowing remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. The ''/scheduler'' endpoint is affected. The admin-nonce parameter is used to inject payloads.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.