Grav CMS Privilege Escalation and Remote Code Execution Vulnerability

A vulnerability in Grav CMS prior to version 1.8.0-beta.27 allows users with admin panel access and permissions to create or edit pages to inject malicious Twig expressions. This injection can be used to escalate privileges to admin or execute arbitrary system commands via the scheduler API, leading to both privilege escalation and remote code execution. The vulnerability arises because Twig processing can be enabled in the page frontmatter, and the Twig sandbox is not enforced, allowing full access to backend PHP objects and methods.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to admin rights and the execution of arbitrary system commands via the Grav scheduler API.

Reproduction

To reproduce this vulnerability, log in as a non-admin user with permission to create or edit pages. Access the admin panel and enable Twig processing for a page. Inject a payload that utilizes Grav's user management or scheduler API, such as commands to update user privileges or execute system commands. After saving the page, the injected code will be executed, resulting in privilege escalation or command execution, depending on the payload used.

Remediation

Users can update to Grav CMS version 1.8.0-beta.27 or later, where this vulnerability has been fixed.