 
                        We found results for “”
CVE-2023-34448
Date: June 14, 2023
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default "filter()" function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig "map()" and "reduce()" filter functions in "system/src/Grav/Common/Twig/Extension/GravExtension.php" to validate the argument passed to the filter in "$arrow".
Language: PHP
Severity Score
Related Resources (12)
Severity Score
Weakness Type (CWE)
CVSS v3.1
| Base Score: |  | 
|---|---|
| Attack Vector (AV): | NETWORK | 
| Attack Complexity (AC): | LOW | 
| Privileges Required (PR): | LOW | 
| User Interaction (UI): | NONE | 
| Scope (S): | UNCHANGED | 
| Confidentiality (C): | HIGH | 
| Integrity (I): | HIGH | 
| Availability (A): | HIGH | 
 Vulnerabilities
                        Vulnerabilities
                 Projects
                        Projects
                 Vulnerability Disclosure
                        Vulnerability Disclosure
                 About Us
                    About Us
                 Contact Us
                    Contact Us
                

