CVE-2021-29440

Name of the Vulnerable Software and Affected Versions: Grav versions prior to 1.7.11

Description: The issue concerns the Twig processing of static pages in Grav, a file-based Web-platform. Any administrative user allowed to create or edit pages can enable Twig processing in the front matter. Since the Twig processor runs unsandboxed, this behavior can be exploited to gain arbitrary code execution and elevate privileges on the instance.

Recommendations: For versions prior to 1.7.11, update to version 1.7.11 to address the issue. As a temporary workaround, consider blocking access to the /admin path from untrusted sources to reduce the probability of exploitation. After updating, consider configuring the system.twig.safe functions and system.twig.safe filters options to manually allow arbitrary PHP functions and filters.