CVE-2024-28118

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.7.45

Description The issue arises due to unrestricted access to the twig extension class from the Grav context, allowing an attacker to redefine config variables and bypass previous SSTI mitigation. This can lead to arbitrary code execution and privilege elevation on the instance. The Twig processor runs unsandboxed, and its processing of static pages can be enabled by any administrative user allowed to create or edit pages.

Recommendations For Grav versions prior to 1.7.45, update to version 1.7.45 or later to resolve the issue. As a temporary workaround, consider disabling the Twig processor for static pages or restricting access to the twig extension class to minimize the risk of exploitation. Avoid using the registerUndefinedFunctionCallback function until the issue is resolved.