Search criteria
15 vulnerabilities found for grav_cms by getgrav
FKIE_CVE-2020-29553
Vulnerability from fkie_nvd - Published: 2021-03-15 19:15 - Updated: 2024-11-21 05:24
Severity ?
Summary
The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF).
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getgrav | grav_cms | * | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C1985151-1043-4E2A-A17C-12D748E23D43",
"versionEndIncluding": "1.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "499C8899-38B4-4F7D-914B-92B3C04599CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta10:*:*:*:*:*:*",
"matchCriteriaId": "511D3EB9-0FB7-4318-89A2-969397A6DE6B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "6E4F6270-4B29-4663-AB38-0DE48B27A7BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A32B2D73-260D-4B5C-BFDF-017CA0C010AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "F169B505-27D4-4791-A87C-B68F75E778A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "351B9084-101A-4308-9F02-61CA44D12A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "B45DC4F5-B4AB-4070-B185-B0D8A4D616D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "19FC7C3F-57A0-4824-A9EC-5F007EBF921B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "2919E961-7EE8-48B3-A17A-6E3FF571F0CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta9:*:*:*:*:*:*",
"matchCriteriaId": "1538A29A-A958-4FB1-8931-781720C8DEE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B9FC2E00-F6D4-4172-9EB6-0C81CD58713F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "3E6C1E78-CE7E-4DB7-83D8-0DEE0526F3C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc11:*:*:*:*:*:*",
"matchCriteriaId": "6B837851-C7FC-4605-9CD3-380D28FA4923",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc12:*:*:*:*:*:*",
"matchCriteriaId": "090C687F-9F26-428D-825C-185AE31B020E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc13:*:*:*:*:*:*",
"matchCriteriaId": "C89B132B-5278-422F-A1B0-B76ABC79837D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc14:*:*:*:*:*:*",
"matchCriteriaId": "2EC75BB8-1E6D-436F-A3C2-5A1087C192F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc15:*:*:*:*:*:*",
"matchCriteriaId": "61421EB3-D64E-4A2B-9D4E-07AD716785E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc16:*:*:*:*:*:*",
"matchCriteriaId": "0AB53A48-AB04-4DB9-8360-76CB41413181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc17:*:*:*:*:*:*",
"matchCriteriaId": "07341814-847C-4500-8FBB-B9C043D1AE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "36AF015F-3CA5-46C7-BFE1-91691D9818EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "88AE4BCB-9DB8-483D-A8F7-53760E5A50BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "033036C0-3A87-450C-8218-9D04B860E8D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "857C3641-4B43-4812-9806-11608D1729FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "79172D0E-6A30-4090-B79F-72D6637A7A16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "D842FBBB-632B-4E43-BB21-D24476252B6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "D7C52869-66A2-4059-9407-D86BFF0F06BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc9:*:*:*:*:*:*",
"matchCriteriaId": "EF62571B-B8C7-4001-AAAC-45CC8E728398",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF)."
},
{
"lang": "es",
"value": "El Scheduler en Grav CMS versiones hasta 1.7.0-rc.17, permite a un atacante ejecutar un comando del sistema al enga\u00f1ar a un administrador de visitar un sitio web malicioso (CSRF)"
}
],
"id": "CVE-2020-29553",
"lastModified": "2024-11-21T05:24:11.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T19:15:13.243",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-29555
Vulnerability from fkie_nvd - Published: 2021-03-15 18:15 - Updated: 2024-11-21 05:24
Severity ?
Summary
The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/ | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/ | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getgrav | grav_cms | * | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A43F940A-E458-4B1A-801B-C90B5E073FA8",
"versionEndExcluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "499C8899-38B4-4F7D-914B-92B3C04599CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta10:*:*:*:*:*:*",
"matchCriteriaId": "511D3EB9-0FB7-4318-89A2-969397A6DE6B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "6E4F6270-4B29-4663-AB38-0DE48B27A7BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A32B2D73-260D-4B5C-BFDF-017CA0C010AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "F169B505-27D4-4791-A87C-B68F75E778A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "351B9084-101A-4308-9F02-61CA44D12A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "B45DC4F5-B4AB-4070-B185-B0D8A4D616D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "19FC7C3F-57A0-4824-A9EC-5F007EBF921B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "2919E961-7EE8-48B3-A17A-6E3FF571F0CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta9:*:*:*:*:*:*",
"matchCriteriaId": "1538A29A-A958-4FB1-8931-781720C8DEE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B9FC2E00-F6D4-4172-9EB6-0C81CD58713F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "3E6C1E78-CE7E-4DB7-83D8-0DEE0526F3C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc11:*:*:*:*:*:*",
"matchCriteriaId": "6B837851-C7FC-4605-9CD3-380D28FA4923",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc12:*:*:*:*:*:*",
"matchCriteriaId": "090C687F-9F26-428D-825C-185AE31B020E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc13:*:*:*:*:*:*",
"matchCriteriaId": "C89B132B-5278-422F-A1B0-B76ABC79837D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc14:*:*:*:*:*:*",
"matchCriteriaId": "2EC75BB8-1E6D-436F-A3C2-5A1087C192F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc15:*:*:*:*:*:*",
"matchCriteriaId": "61421EB3-D64E-4A2B-9D4E-07AD716785E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc16:*:*:*:*:*:*",
"matchCriteriaId": "0AB53A48-AB04-4DB9-8360-76CB41413181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc17:*:*:*:*:*:*",
"matchCriteriaId": "07341814-847C-4500-8FBB-B9C043D1AE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "36AF015F-3CA5-46C7-BFE1-91691D9818EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc20:*:*:*:*:*:*",
"matchCriteriaId": "15E200E4-C228-4114-A353-96D078DA33D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "88AE4BCB-9DB8-483D-A8F7-53760E5A50BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "033036C0-3A87-450C-8218-9D04B860E8D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "857C3641-4B43-4812-9806-11608D1729FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "79172D0E-6A30-4090-B79F-72D6637A7A16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "D842FBBB-632B-4E43-BB21-D24476252B6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "D7C52869-66A2-4059-9407-D86BFF0F06BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc9:*:*:*:*:*:*",
"matchCriteriaId": "EF62571B-B8C7-4001-AAAC-45CC8E728398",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
},
{
"lang": "es",
"value": "La funcionalidad BackupDelete en Grav CMS versiones hasta 1.7.0-rc.17, permite a un atacante autenticado eliminar archivos arbitrarios en el servidor subyacente al explotar una t\u00e9cnica de salto de ruta.\u0026#xa0;(Esta vulnerabilidad tambi\u00e9n puede ser explotada por un atacante no autenticado debido a una falta de protecci\u00f3n CSRF)"
}
],
"id": "CVE-2020-29555",
"lastModified": "2024-11-21T05:24:11.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T18:15:17.253",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-29556
Vulnerability from fkie_nvd - Published: 2021-03-15 18:15 - Updated: 2024-11-21 05:24
Severity ?
Summary
The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/ | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/ | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getgrav | grav_cms | * | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 | |
| getgrav | grav_cms | 1.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A43F940A-E458-4B1A-801B-C90B5E073FA8",
"versionEndExcluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "499C8899-38B4-4F7D-914B-92B3C04599CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta10:*:*:*:*:*:*",
"matchCriteriaId": "511D3EB9-0FB7-4318-89A2-969397A6DE6B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "6E4F6270-4B29-4663-AB38-0DE48B27A7BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A32B2D73-260D-4B5C-BFDF-017CA0C010AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "F169B505-27D4-4791-A87C-B68F75E778A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "351B9084-101A-4308-9F02-61CA44D12A4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "B45DC4F5-B4AB-4070-B185-B0D8A4D616D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "19FC7C3F-57A0-4824-A9EC-5F007EBF921B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "2919E961-7EE8-48B3-A17A-6E3FF571F0CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta9:*:*:*:*:*:*",
"matchCriteriaId": "1538A29A-A958-4FB1-8931-781720C8DEE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B9FC2E00-F6D4-4172-9EB6-0C81CD58713F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "3E6C1E78-CE7E-4DB7-83D8-0DEE0526F3C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc11:*:*:*:*:*:*",
"matchCriteriaId": "6B837851-C7FC-4605-9CD3-380D28FA4923",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc12:*:*:*:*:*:*",
"matchCriteriaId": "090C687F-9F26-428D-825C-185AE31B020E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc13:*:*:*:*:*:*",
"matchCriteriaId": "C89B132B-5278-422F-A1B0-B76ABC79837D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc14:*:*:*:*:*:*",
"matchCriteriaId": "2EC75BB8-1E6D-436F-A3C2-5A1087C192F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc15:*:*:*:*:*:*",
"matchCriteriaId": "61421EB3-D64E-4A2B-9D4E-07AD716785E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc16:*:*:*:*:*:*",
"matchCriteriaId": "0AB53A48-AB04-4DB9-8360-76CB41413181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc17:*:*:*:*:*:*",
"matchCriteriaId": "07341814-847C-4500-8FBB-B9C043D1AE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "36AF015F-3CA5-46C7-BFE1-91691D9818EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc20:*:*:*:*:*:*",
"matchCriteriaId": "15E200E4-C228-4114-A353-96D078DA33D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "88AE4BCB-9DB8-483D-A8F7-53760E5A50BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "033036C0-3A87-450C-8218-9D04B860E8D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "857C3641-4B43-4812-9806-11608D1729FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "79172D0E-6A30-4090-B79F-72D6637A7A16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "D842FBBB-632B-4E43-BB21-D24476252B6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "D7C52869-66A2-4059-9407-D86BFF0F06BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc9:*:*:*:*:*:*",
"matchCriteriaId": "EF62571B-B8C7-4001-AAAC-45CC8E728398",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
},
{
"lang": "es",
"value": "La funcionalidad Backup en Grav CMS versiones hasta 1.7.0-rc.17, permite a un atacante autenticado leer archivos locales arbitrarios en el servidor subyacente al explotar una t\u00e9cnica de salto de ruta.\u0026#xa0;(Esta vulnerabilidad tambi\u00e9n puede ser explotada por un atacante no autenticado debido a una falta de protecci\u00f3n CSRF)"
}
],
"id": "CVE-2020-29556",
"lastModified": "2024-11-21T05:24:11.770",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T18:15:17.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16126
Vulnerability from fkie_nvd - Published: 2019-09-09 02:15 - Updated: 2024-11-21 04:30
Severity ?
Summary
Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/getgrav/grav/issues/2657 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/getgrav/grav/issues/2657 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A1F6DD99-DE8D-4DF7-9EBF-79EED9502911",
"versionEndIncluding": "1.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images."
},
{
"lang": "es",
"value": "Grav a 1.6.15 permite secuencias de comandos entre sitios (almacenadas) debido a la ejecuci\u00f3n de JavaScript en im\u00e1genes SVG."
}
],
"id": "CVE-2019-16126",
"lastModified": "2024-11-21T04:30:06.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-09T02:15:10.470",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/getgrav/grav/issues/2657"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/getgrav/grav/issues/2657"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-5233
Vulnerability from fkie_nvd - Published: 2018-03-19 21:29 - Updated: 2024-11-21 04:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2018/03/15/1 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2018/03/15/1 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50360D43-05F1-43B6-B3CD-BC19F8BBEFFC",
"versionEndExcluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en system/src/Grav/Common/Twig/Twig.php en Grav CMS en versiones anteriores a la 1.3.0 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante PATH_INFO en admin/tools."
}
],
"id": "CVE-2018-5233",
"lastModified": "2024-11-21T04:08:23.507",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-19T21:29:00.940",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/15/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/15/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-29553 (GCVE-0-2020-29553)
Vulnerability from cvelistv5 – Published: 2021-03-15 18:20 – Updated: 2024-08-04 16:55
VLAI?
Summary
The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.462Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T18:20:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29553",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/",
"refsource": "MISC",
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29553",
"datePublished": "2021-03-15T18:20:50",
"dateReserved": "2020-12-04T00:00:00",
"dateUpdated": "2024-08-04T16:55:10.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29555 (GCVE-0-2020-29555)
Vulnerability from cvelistv5 – Published: 2021-03-15 18:00 – Updated: 2024-08-04 16:55
VLAI?
Summary
The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T18:00:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/",
"refsource": "MISC",
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29555",
"datePublished": "2021-03-15T18:00:01",
"dateReserved": "2020-12-04T00:00:00",
"dateUpdated": "2024-08-04T16:55:10.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29556 (GCVE-0-2020-29556)
Vulnerability from cvelistv5 – Published: 2021-03-15 17:58 – Updated: 2024-08-04 16:55
VLAI?
Summary
The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T17:58:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/",
"refsource": "MISC",
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29556",
"datePublished": "2021-03-15T17:58:17",
"dateReserved": "2020-12-04T00:00:00",
"dateUpdated": "2024-08-04T16:55:10.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16126 (GCVE-0-2019-16126)
Vulnerability from cvelistv5 – Published: 2019-09-09 01:01 – Updated: 2024-08-05 01:10
VLAI?
Summary
Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:10:39.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getgrav/grav/issues/2657"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-09T01:01:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getgrav/grav/issues/2657"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16126",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/getgrav/grav/issues/2657",
"refsource": "MISC",
"url": "https://github.com/getgrav/grav/issues/2657"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16126",
"datePublished": "2019-09-09T01:01:23",
"dateReserved": "2019-09-08T00:00:00",
"dateUpdated": "2024-08-05T01:10:39.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-5233 (GCVE-0-2018-5233)
Vulnerability from cvelistv5 – Published: 2018-03-19 21:00 – Updated: 2024-08-05 05:33
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:42.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/"
},
{
"name": "[oss-security] 20180315 [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting (XSS) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/15/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-19T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/"
},
{
"name": "[oss-security] 20180315 [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting (XSS) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/15/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/",
"refsource": "MISC",
"url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/"
},
{
"name": "[oss-security] 20180315 [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting (XSS) vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/15/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-5233",
"datePublished": "2018-03-19T21:00:00",
"dateReserved": "2018-01-05T00:00:00",
"dateUpdated": "2024-08-05T05:33:42.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29553 (GCVE-0-2020-29553)
Vulnerability from nvd – Published: 2021-03-15 18:20 – Updated: 2024-08-04 16:55
VLAI?
Summary
The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.462Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T18:20:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29553",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/",
"refsource": "MISC",
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29553",
"datePublished": "2021-03-15T18:20:50",
"dateReserved": "2020-12-04T00:00:00",
"dateUpdated": "2024-08-04T16:55:10.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29555 (GCVE-0-2020-29555)
Vulnerability from nvd – Published: 2021-03-15 18:00 – Updated: 2024-08-04 16:55
VLAI?
Summary
The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T18:00:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/",
"refsource": "MISC",
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29555",
"datePublished": "2021-03-15T18:00:01",
"dateReserved": "2020-12-04T00:00:00",
"dateUpdated": "2024-08-04T16:55:10.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29556 (GCVE-0-2020-29556)
Vulnerability from nvd – Published: 2021-03-15 17:58 – Updated: 2024-08-04 16:55
VLAI?
Summary
The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T17:58:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/",
"refsource": "MISC",
"url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29556",
"datePublished": "2021-03-15T17:58:17",
"dateReserved": "2020-12-04T00:00:00",
"dateUpdated": "2024-08-04T16:55:10.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16126 (GCVE-0-2019-16126)
Vulnerability from nvd – Published: 2019-09-09 01:01 – Updated: 2024-08-05 01:10
VLAI?
Summary
Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:10:39.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getgrav/grav/issues/2657"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-09T01:01:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getgrav/grav/issues/2657"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16126",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/getgrav/grav/issues/2657",
"refsource": "MISC",
"url": "https://github.com/getgrav/grav/issues/2657"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16126",
"datePublished": "2019-09-09T01:01:23",
"dateReserved": "2019-09-08T00:00:00",
"dateUpdated": "2024-08-05T01:10:39.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-5233 (GCVE-0-2018-5233)
Vulnerability from nvd – Published: 2018-03-19 21:00 – Updated: 2024-08-05 05:33
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:42.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/"
},
{
"name": "[oss-security] 20180315 [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting (XSS) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/15/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-19T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/"
},
{
"name": "[oss-security] 20180315 [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting (XSS) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/15/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/",
"refsource": "MISC",
"url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/"
},
{
"name": "[oss-security] 20180315 [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting (XSS) vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/15/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-5233",
"datePublished": "2018-03-19T21:00:00",
"dateReserved": "2018-01-05T00:00:00",
"dateUpdated": "2024-08-05T05:33:42.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}