CVE-2021-21425

Name of the Vulnerable Software and Affected Versions Grav Admin Plugin versions 1.10.7 and earlier

Description The issue allows an unauthenticated user to execute certain methods of the administrator controller without credentials, resulting in arbitrary YAML file creation or modification. This can lead to configuration changes, such as altering site information or scheduler jobs. An adversary can exploit this to change parts of the webpage, hijack an administrator account, or execute operating system commands under the web-server user context.

Recommendations For versions 1.10.7 and earlier, update to version 1.10.8 to resolve the issue. As a temporary workaround, consider blocking access to the "/admin" path from untrusted sources to minimize the risk of exploitation.