CVE-2021-29440
Summary
| CVE | CVE-2021-29440 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-13 20:15:00 UTC |
| Updated | 2022-11-09 03:12:00 UTC |
| Description | Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. The issue was addressed in version 1.7.11. |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Twig allowing dangerous PHP functions by default · Advisory · getgrav/grav · GitHub | CONFIRM | github.com | |
| Grav CMS 1.7.10 Server-Side Template Injection ≈ Packet Storm | MISC | packetstormsecurity.com | |
| getgrav/grav - Packagist | MISC | packagist.org | |
| Grav CMS 1.7.10 - Code Execution Vulnerabilities | MISC | blog.sonarsource.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.