Main Vulnerability Database SB2021042007

SB2021042007 - Improper access control in Grav Admin Plugin

Published: April 20, 2021 Updated: November 15, 2024

Security Bulletin ID SB2021042007

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper access control (CVE-ID: CVE-2021-21425)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can execute some methods of administrator controller without needing any credentials, leading to arbitrary YAML file creation or content change of existing YAML files on the system.

Remediation

Install update from vendor's website.

References

https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj
https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/