Product:

Grav

(Getgrav)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 25
Date Id Summary Products Score Patch Annotated
2021-09-27 CVE-2021-3818 grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking Grav 5.3
2021-10-27 CVE-2021-3904 grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Grav 5.4
2021-11-05 CVE-2021-3924 grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Grav 7.5
2022-01-25 CVE-2022-0268 Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28. Grav 5.4
2022-02-28 CVE-2022-0743 Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. Grav 4.6
2022-03-15 CVE-2022-0970 Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. Grav 5.4
2022-04-26 CVE-2022-1173 stored xss in GitHub repository getgrav/grav prior to 1.7.33. Grav 5.4
2022-06-29 CVE-2022-2073 Code Injection in GitHub repository getgrav/grav prior to 1.7.34. Grav 7.2
2023-06-14 CVE-2023-34251 Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue. Grav 7.2
2023-06-14 CVE-2023-34252 Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject... Grav 7.2