CVE-2023-34252

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.7.42

Description Grav is a flat-file content management system with a logic flaw in the GravExtension.filterFilter() function. This flaw allows validation against a denylist of unsafe functions to be skipped when an array is passed as a callable argument, instead of a string. A low-privileged attacker with login access to the Grav Admin panel and page creation/update permissions can inject malicious templates to obtain remote code execution. The vulnerability is found in the GravExtension.filterFilter() function declared in /system/src/Grav/Common/Twig/Extension/GravExtension.php.

Recommendations For versions prior to 1.7.42, update to version 1.7.42 to resolve the issue. Additionally, ensure that twig.undefined functions and twig.undefined filters properties in the /path/to/webroot/system/config/system.yaml configuration file are set to false to disallow Twig from treating undefined filters/functions as PHP functions and executing them.