CVE-2020-29556

Name of the Vulnerable Software and Affected Versions: Grav CMS versions through 1.7.0-rc.17

Description: The issue in Grav CMS allows an attacker to read arbitrary local files on the server using a path-traversal technique. This can be exploited by both authenticated and unauthenticated attackers due to the lack of CSRF protection. Additionally, the Scheduler component is vulnerable to system command execution by tricking an admin into visiting a malicious website, also exploiting CSRF weaknesses.

Recommendations: For Grav CMS versions through 1.7.0-rc.17, update to a version that addresses the path-traversal and CSRF vulnerabilities to prevent arbitrary file reading and system command execution. As a temporary workaround, consider restricting access to the Backup functionality and the Scheduler component to minimize the risk of exploitation.