Server Side Template Injection in Grav CMS (Versions < 1.7.42) Allows Remote Code Execution

Server Side Template Injection in Grav CMS (Versions < 1.7.42) Allows Remote Code Execution

CVE-2023-34251 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.

Learn more about our Cis Benchmark Audit For Server Software.