CVE-2021-47812

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GravCMS version 1.10.7

Description GravCMS version 1.10.7 has an issue allowing remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. The ''/scheduler'' endpoint is affected. The admin-nonce parameter is used to inject payloads.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2021-47812

Affected Products

Grav Cms

CVE-2021-47812

Weakness Enumeration

Related Identifiers

Affected Products

References · 7