CVE-2023-34253

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.7.42

Description The issue concerns a flat-file content management system where the denylist, introduced to prevent the execution of dangerous functions via malicious template injection, was insufficient. This allowed a low-privileged attacker with login access to the Grav Admin panel and page creation/update permissions to inject malicious templates, potentially leading to remote code execution. The denylist could be subverted in multiple ways, including using unsafe functions not banned, using capitalized callable names, and using fully-qualified names for referencing callables.

Recommendations For versions prior to 1.7.42, update to version 1.7.42 to improve the denylist and prevent the execution of dangerous functions via malicious template injection.