CVE-2024-27921: Grav File Upload Path Traversal

March 22, 2024 (updated October 4, 2024)

Grav is vulnerable to a file upload path traversal vulnerability, that can allow an adversary to replace or create files with extensions such as .json, .zip, .css, .gif, etc. This vulnerabiltiy can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing backups or creating new ones, and exfiltrating sensitive data using CSS Injection exfiltration techniques.

References

github.com/advisories/GHSA-m7hx-hw6h-mqmc
github.com/getgrav/grav
github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99
github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc
nvd.nist.gov/vuln/detail/CVE-2024-27921

Detect and mitigate CVE-2024-27921 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →