CVE-2024-27923

Summary

Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the frontmatter feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.

Affected Software

VendorProductVersion RangeStatus
getgravgrav< 1.7.43affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication
  • CWE-434: CWE-434: Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References