CVE-2024-28119

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.7.45

Description The issue arises from unrestricted access to the twig extension class from the grav context, allowing an attacker to redefine the escape function and execute arbitrary commands. This can be achieved by enabling Twig processing of static pages in the front matter, which can be done by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.

Recommendations For Grav versions prior to 1.7.45, update to version 1.7.45 or later to resolve the issue. As a temporary workaround, consider restricting access to the Twig processor or disabling the ability to enable Twig processing of static pages in the front matter until a patch is applied. Avoid using the setEscaper method in the grav.twig.twig.extensions.core class to redefine the escape function, as this can be used to execute arbitrary commands.