CVE-2020-29555

Name of the Vulnerable Software and Affected Versions: Grav CMS versions 1.7.0-rc.17 and earlier

Description: The issue allows an authenticated attacker to delete arbitrary files on the server using a path-traversal technique. Additionally, an unauthenticated attacker can exploit this due to a lack of CSRF protection. The Scheduler component can also be exploited by tricking an admin into visiting a malicious website, allowing an attacker to execute system commands.

Recommendations: For Grav CMS versions 1.7.0-rc.17 and earlier, consider disabling the BackupDelete functionality and restrict access to the Scheduler component until a patch is available. As a temporary workaround, implement CSRF protection to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.