CVE-2023-34252
Grav Server-side Template Injection via Insufficient Validation in filterFilter
In short
Grav CMS has a flaw in its template filter validation that allows attackers with admin access to inject malicious code and take over the website. The vulnerability exists because the security check can be bypassed by passing data in a specific format.
Technical detail
Server-side template injection in Grav's GravExtension.filterFilter() function caused by insufficient input validation when array callables bypass the denylist check for unsafe functions. An authenticated attacker with page creation/update permissions can inject arbitrary Twig templates to achieve remote code execution. Patch available in version 1.7.42; mitigation includes disabling twig.undefined_functions and twig.undefined_filters in system.yaml.
Summary generated and translated by AI from the official description.
Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. Version 1.7.42 contains a patch for this issue. End users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H