CVE-2024-28116

Description

Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.

NVD
Severity: N/A
CVE ID: CVE-2024-28116
CVSS Score: N/A
CVSS Metrics: NVD assessment not yet provided.

GitHub, Inc.
Severity: HIGH
CVE ID: CVE-2024-28116
CVSS Score: 8.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

akabe1

Proof of Concept script to exploit the authenticated SSTI+RCE in Grav CMS (CVE-2024-28116)

Refrence: GitHub

Description​

Proof Of Concept​

Description

Proof Of Concept