7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34253

CVE-2023-34253: Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Hi,

actually we have sent the bug report to security@getgrav.org on 27th March 2023 and on 10th April 2023.

Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Summary:

| Product | Grav CMS | | ----------------------- | --------------------------------------------- | | Vendor | Grav | | Severity | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | Affected Versions | <= v1.7.40 (Commit 685d762) (Latest version as of writing) | | Tested Versions | v1.7.40 | | Internal Identifier | STAR-2023-0006 | | CVE Identifier | Reserved CVE-2023-30592, CVE-2023-30593, CVE-2023-30594 | | CWE(s) | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |

CVSS3.1 Scoring System:

Base Score: 7.2 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
| Metric | Value | | ---------------------------- | --------- | | Attack Vector (AV) | Network | | Attack Complexity (AC) | Low | | Privileges Required (PR) | High | | User Interaction (UI) | None | | Scope (S) | Unchanged | | Confidentiality (C) | High | | Integrity (I) | High | | | High |

Miggo Vulnerability Database

→

CVE-2023-34253

CVE-2023-34253:

7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.7.42	1.7.42

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from three key issues in Grav's SSTI protection: 1) Missing dangerous functions in Utils::isDangerousFunction's denylist (e.g., unserialize), 2) Case-sensitive function name checks allowing bypass via capitalization (e.g., 'System'), and 3) Failure to block fully-qualified function names (e.g., '\system'). The Twig filter/map/reduce handlers (filterFilter, mapFilter, reduceFunc) in GravExtension.php directly use Utils::isDangerousFunction for validation. When combined with the denylist's flaws, these functions become vectors for executing arbitrary PHP functions. The high confidence comes from reproduction steps demonstrating RCE via these vectors and commit diffs showing fixes to these components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

/** * @param string $name * @return bool */ public static function isDangerousFunction(string $name): bool { static $commandExecutionFunctions = [ 'exec', 'passthru', 'system', 'shell_exec', 'popen', 'proc_open', 'pcntl_exec', ]; static $codeExecutionFunctions = [ 'assert', 'preg_replace', 'create_function', 'include', 'include_once', 'require', 'require_once' ]; static $callbackFunctions = [ 'ob_start' => 0, 'array_diff_uassoc' => -1, 'array_diff_ukey' => -1, 'array_filter' => 1, 'array_intersect_uassoc' => -1, 'array_intersect_ukey' => -1, 'array_map' => 0, 'array_reduce' => 1, 'array_udiff_assoc' => -1, 'array_udiff_uassoc' => [-1, -2], 'array_udiff' => -1, 'array_uintersect_assoc' => -1, 'array_uintersect_uassoc' => [-1, -2], 'array_uintersect' => -1, 'array_walk_recursive' => 1, 'array_walk' => 1, 'assert_options' => 1, 'uasort' => 1, 'uksort' => 1, 'usort' => 1, 'preg_replace_callback' => 1, 'spl_autoload_register' => 0, 'iterator_apply' => 1, 'call_user_func' => 0, 'call_user_func_array' => 0, 'register_shutdown_function' => 0, 'register_tick_function' => 0, 'set_error_handler' => 0, 'set_exception_handler' => 0, 'session_set_save_handler' => [0, 1, 2, 3, 4, 5], 'sqlite_create_aggregate' => [2, 3], 'sqlite_create_function' => 2, ]; static $informationDiscosureFunctions = [ 'phpinfo', 'posix_mkfifo', 'posix_getlogin', 'posix_ttyname', 'getenv', 'get_current_user', 'proc_get_status', 'get_cfg_var', 'disk_free_space', 'disk_total_space', 'diskfreespace', 'getcwd', 'getlastmo', 'getmygid', 'getmyinode', 'getmypid', 'getmyuid' ]; static $otherFunctions = [ 'extract', 'parse_str', 'putenv', 'ini_set', 'mail', 'header', 'proc_nice', 'proc_terminate', 'proc_close', 'pfsockopen', 'fsockopen', 'apache_child_terminate', 'posix_kill', 'posix_mkfifo', 'posix_setpgid', 'posix_setsid', 'posix_setuid', ]; if (in_array($name, $commandExecutionFunctions)) { return true; } if (in_array($name, $codeExecutionFunctions)) { return true; } if (isset($callbackFunctions[$name])) { return true; } if (in_array($name, $informationDiscosureFunctions)) { return true; } if (in_array($name, $otherFunctions)) { return true; } return static::isFilesystemFunction($name); } /** * @param string $name * @return bool */ public static function isFilesystemFunction(string $name): bool { static $fileWriteFunctions = [ 'fopen', 'tmpfile', 'bzopen', 'gzopen', // write to filesystem (partially in combination with reading) 'chgrp', 'chmod', 'chown', 'copy', 'file_put_contents', 'lchgrp', 'lchown', 'link', 'mkdir', 'move_uploaded_file', 'rename', 'rmdir', 'symlink', 'tempnam', 'touch', 'unlink', 'imagepng', 'imagewbmp', 'image2wbmp', 'imagejpeg', 'imagexbm', 'imagegif', 'imagegd', 'imagegd2', 'iptcembed', 'ftp_get', 'ftp_nb_get', ]; static $fileContentFunctions = [ 'file_get_contents', 'file', 'filegroup', 'fileinode', 'fileowner', 'fileperms', 'glob', 'is_executable', 'is_uploaded_file', 'parse_ini_file', 'readfile', 'readlink', 'realpath', 'gzfile', 'readgzfile', 'stat', 'imagecreatefromgif', 'imagecreatefromjpeg', 'imagecreatefrompng', 'imagecreatefromwbmp', 'imagecreatefromxbm', 'imagecreatefromxpm', 'ftp_put', 'ftp_nb_put', 'hash_update_file', 'highlight_file', 'show_source', 'php_strip_whitespace', ]; static $filesystemFunctions = [ // read from filesystem 'file_exists', 'fileatime', 'filectime', 'filemtime', 'filesize', 'filetype', 'is_dir', 'is_file', 'is_link', 'is_readable', 'is_writable', 'is_writeable', 'linkinfo', 'lstat', //'pathinfo', 'getimagesize', 'exif_read_data', 'read_exif_data', 'exif_thumbnail', 'exif_imagetype', 'hash_file', 'hash_hmac_file', 'md5_file', 'sha1_file', 'get_meta_tags', ]; if (in_array($name, $fileWriteFunctions)) { return true; } if (in_array($name, $fileContentFunctions)) { return true; } if (in_array($name, $filesystemFunctions)) { return true; } return false; }

7.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-34253: Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Summary:

CVSS3.1 Scoring System:

CVE-2023-34253:

7.2

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

7.2

7.2

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

CVE-2023-34253: Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Summary:

CVSS3.1 Scoring System:

Product Overview:

Vulnerability Summary:

Vulnerability Details:

Exploit Conditions:

Reproduction Steps:

Suggested Mitigations:

Detection Guidance:

Credits:

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI