CVE-2024-28116

Name of the Vulnerable Software and Affected Versions Grav CMS versions prior to 1.7.45

Description The issue is related to a Server-Side Template Injection (SSTI) in Grav CMS, which allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. The vulnerability is due to the incorrect management of code generation. An attacker could exploit this issue by injecting specially crafted Twig template directives into a web page, allowing them to execute arbitrary OS commands on the remote web server. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited.

Technical details about exploitation include:

Recommendations For Grav CMS versions prior to 1.7.45, update to version 1.7.45 or later to resolve the issue. As a temporary workaround, consider restricting access to the Twig template directives to minimize the risk of exploitation. Avoid using the system.twig.safe functions and system.twig.safe filters variables in the affected API endpoints until the issue is resolved.