high
8.8
CWE
94 1336 184
Advisory Published
Updated

CVE-2023-34253: Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass

First published: Wed Jun 14 2023(Updated: )

Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Getgrav Grav<1.7.42

Remedy

https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b

Remedy

https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-34253?

    CVE-2023-34253 is a vulnerability in Grav, a file-based Web platform, where the denylist introduced in version 1.7.42 can be easily subverted, allowing the execution of dangerous functions via injection of malicious templates.

  • What is the severity of CVE-2023-34253?

    CVE-2023-34253 has a severity level of 7.2, which is categorized as high.

  • How does CVE-2023-34253 affect Grav?

    CVE-2023-34253 affects Grav versions up to and excluding 1.7.42. The denylist feature introduced in prior versions can be bypassed, making it possible to execute dangerous functions through injection of malicious templates.

  • How can I fix CVE-2023-34253 in Grav?

    To fix CVE-2023-34253 in Grav, it is recommended to update to version 1.7.42 or later, which includes the necessary fixes for the vulnerability.

  • Where can I find more information about CVE-2023-34253?

    For more information about CVE-2023-34253, you can refer to the following resources: [GitHub commit](https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b), [Grav security advisory](https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203