Return of Wrong Status Code in Grav CMS - CVE-2023-37897

 

Return of Wrong Status Code in Grav CMS - CVE-2023-37897

Published: July 18, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU130047
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-37897
CWE-ID: CWE-393
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Grav CMS
Affected software:
Grav CMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to return of wrong status code in isDangerousFunction() when processing Twig |map input containing a double backslash. A remote privileged user can submit a specially crafted Twig payload to execute arbitrary code.

Exploitation requires access to the Admin panel with page create or update permissions and Twig processing enabled for the modified page.


How to mitigate CVE-2023-37897

Install security update from vendor's website.

Sources