Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Grav
(Getgrav)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 24 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-10-27 | CVE-2021-3904 | grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | Grav | 5.4 | ||
| 2021-11-05 | CVE-2021-3924 | grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Grav | 7.5 | ||
| 2022-01-25 | CVE-2022-0268 | Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28. | Grav | 5.4 | ||
| 2022-02-28 | CVE-2022-0743 | Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. | Grav | 4.6 | ||
| 2022-03-15 | CVE-2022-0970 | Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. | Grav | 5.4 | ||
| 2022-04-26 | CVE-2022-1173 | stored xss in GitHub repository getgrav/grav prior to 1.7.33. | Grav | 5.4 | ||
| 2022-06-29 | CVE-2022-2073 | Code Injection in GitHub repository getgrav/grav prior to 1.7.34. | Grav | 7.2 | ||
| 2023-06-14 | CVE-2023-34251 | Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue. | Grav | 7.2 | ||
| 2023-06-14 | CVE-2023-34252 | Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject... | Grav | 7.2 | ||
| 2023-06-14 | CVE-2023-34253 | Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel... | Grav | 7.2 |