Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-3818

CVE-2021-3818:
Reliance on Cookies without Validation and Integrity Checking in getgrav/grav

6.3

CVSS Score

Basic Information

CVE ID
CVE-2021-3818
GHSA ID
GHSA-cg3q-59w7-rvc2
EPSS Score
-
CWE
CWE-565
Published
9/29/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
getgrav/gravcomposer< 1.7.211.7.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from hardcoded '/' path in cookie operations, visible in pre-patch versions of these functions. The commit c51fb17 specifically modifies them to use getCookieOptions() which inherits path/security settings from the main session cookie (including restricted path, secure flag, etc.). The fixed behavior matches the vulnerability description about overly broad paths enabling cross-application cookie access.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r*v is vuln*r**l* to R*li*n** on *ooki*s wit*out V*li**tion *n* Int**rity ****kin*. * *ooki* wit* *n ov*rly *ro** p*t* **n ** ****ss** t*rou** ot**r *ppli**tions on t** s*m* *om*in. Sin** *ooki*s o*t*n **rry s*nsitiv* in*orm*tion su** *s s*ssion i**

Reasoning

T** vuln*r**ility st*ms *rom **r**o*** '/' p*t* in *ooki* op*r*tions, visi*l* in pr*-p*t** v*rsions o* t**s* *un*tions. T** *ommit ******* sp**i*i**lly mo*i*i*s t**m to us* **t*ooki*Options() w*i** in**rits p*t*/s**urity s*ttin*s *rom t** m*in s*ssio