Grav
cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*
- <= 9.1.7
An arbitrary file write vulnerability has been identified in the Grav Form plugin, affecting versions prior to 9.1.8. The issue arises in the 'process.save.filename' parameter, which is initially validated against path traversal before being processed by Twig templates. However, this validation is not reapplied after rendering, creating a time-of-check to time-of-use (TOCTOU) vulnerability. Attackers can exploit this by submitting form data with path traversal sequences, which are then processed through Twig, allowing them to write arbitrary files, including PHP webshells, to the web root or other sensitive directories.
Exploitation of this vulnerability allows authenticated users with page editor privileges to write arbitrary files outside the intended directories. This could include deploying webshells, overwriting plugin PHP files, poisoning Twig templates, or writing SSH keys if the web server user has a home directory with an .ssh folder.
To reproduce this vulnerability, a page editor must first create a form that uses a Twig-templated filename in the 'process.save.filename' parameter. This form can be submitted by any visitor, which will trigger the vulnerability. The submitted form data can include path traversal sequences that exploit the lack of post-Twig validation, allowing for arbitrary file writes.
Users are advised to update Grav to version 9.1.8 or later, where this vulnerability has been patched.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.