CVE-2020-29553

Name of the Vulnerable Software and Affected Versions: Grav CMS versions through 1.7.0-rc.17

Description: The issue allows an attacker to execute system commands or read and delete arbitrary files on the server by exploiting path-traversal techniques and a lack of CSRF protection. This can be achieved by tricking an admin into visiting a malicious website.

Recommendations: For Grav CMS versions through 1.7.0-rc.17, as a temporary workaround, consider disabling the Scheduler and Backup functionalities until a patch is available. Restrict access to the BackupDelete functionality to minimize the risk of exploitation. Avoid using the Backup functionality to read local files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.