8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-28119

GHSA ID

GHSA-2m7x-c7px-hp58

EPSS Score

0.8225%

CWE

CWE-94

Published

3/22/2024

Updated

1/3/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-28119

CVE-2024-28119: Server Side Template Injection (SSTI) via Twig escape handler

Summary

Due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands.

Details

https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99

/**
     * Defines a new escaper to be used via the escape filter.
     *
     * @param string   $strategy The strategy name that should be used as a strategy in the escape call
     * @param callable $callable A valid PHP callable
     */
    public function setEscaper($strategy, callable $callable)
    {
        $this->escapers[$strategy] = $callable;
    }

Twig supports the functionality to redefine the escape function through the setEscaper method. However, that method is not originally exposed to the twig environment, but it is accessible through the payload below.

{{ grav.twig.twig.extensions.core.setEscaper('a','a') }}

At this point, it accepts callable type as an argument, but as there is no validation for the $callable variable, attackers can set dangerous functions like system as the escaper function.

PoC

{{ var_dump(grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter')) }}
{{ var_dump(['id'] | escape('system', 'system')) }}

Impact

Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-28119

GHSA ID

GHSA-2m7x-c7px-hp58

EPSS Score

0.8225%

CWE

CWE-94

Published

3/22/2024

Updated

1/3/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.7.45	1.7.45

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the unrestricted access to Twig's EscaperExtension::setEscaper method in Grav's Twig environment. This method accepts a callable argument without validation, enabling attackers to register PHP functions like system as escapers. The PoC demonstrates this by setting twig_array_filter (a valid callable) as the 'system' escaper and triggering it via the escape filter. Grav's patch explicitly blocks access to core.setEscaper in Security::cleanDangerousTwig, confirming its role in the exploit chain. The function's design (lack of input validation) combined with Grav's insecure exposure of the method to template processing creates the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *u* to t** unr*stri*t** ****ss to twi* *xt*nsion *l*ss *rom *r*v *ont*xt, *n *tt**k*r **n r****in* t** *s**p* *un*tion *n* *x**ut* *r*itr*ry *omm*n*s. ### **t*ils *ttps://*it*u*.*om/twi*p*p/Twi*/*lo*/*.x/sr*/*xt*nsion/*s**p*r*xt*nsion.p*

Reasoning

T** vuln*r**ility st*ms *rom t** unr*stri*t** ****ss to Twi*'s *s**p*r*xt*nsion::s*t*s**p*r m*t*o* in *r*v's Twi* *nvironm*nt. T*is m*t*o* ****pts * **ll**l* *r*um*nt wit*out v*li**tion, *n**lin* *tt**k*rs to r**ist*r P*P *un*tions lik* syst*m *s *s*

8.8

Basic Information

Concerned about an active attack path?

CVE-2024-28119: Server Side Template Injection (SSTI) via Twig escape handler

Summary

Details

PoC

Impact

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI