Mahagr

**Name of the Vulnerable Software and Affected Versions** getgrav/grav versions prior to 1.7.34 **Description** The issue concerns Server Side Template Injection via Twig, where Twig should not render dangerous functions by default, such as `system`. This is related to Code Injection in the GitHub repository getgrav/grav. **Recommendations** For versions prior to 1.7.34, update to version 1.7.34 or later to resolve the issue. As a temporary workaround, consider restricting the use of Twig to minimize the risk of exploitation. Avoid using dangerous functions, such as `system`, in Twig templates until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** getgrav/grav versions prior to 1.7.33 **Description** The issue is related to stored cross-site scripting (XSS) in the GitHub repository getgrav/grav. **Recommendations** For versions prior to 1.7.33, update to version 1.7.33 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** getgrav/grav versions prior to 1.7.28 **Description** The issue is related to Cross-site Scripting (XSS) - Stored, which allows a low privilege user to create a page with arbitrary javascript by bypassing insufficient XSS filtering. **Recommendations** For versions prior to 1.7.28, update to version 1.7.28 or later to resolve the issue. As a temporary workaround, consider restricting access to page creation functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** grav-plugin-admin (affected versions not specified) **Description** The issue concerns Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This means that the software fails to properly neutralize user input, allowing an attacker to inject malicious code into web pages. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** grav (affected versions not specified) **Description** The issue is related to Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This means that an attacker could potentially access files or directories outside the intended restricted directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** grav versions prior to 1.7.24 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for the injection of malicious scripts into web pages. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.7.24, update to version 1.7.24 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: grav-plugin-admin (affected versions not specified) Description: The issue is related to Improper Restriction of Rendered UI Layers or Frames. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.