Main Vulnerability Database Vulnerabilities #VU52365

Improper access control in Grav Admin Plugin - CVE-2021-21425

Published: April 20, 2021 / Updated: November 15, 2024

Vulnerability identifier: #VU52365

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2021-21425

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Grav CMS

Affected software:
Grav Admin Plugin

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can execute some methods of administrator controller without needing any credentials, leading to arbitrary YAML file creation or content change of existing YAML files on the system.

How to mitigate CVE-2021-21425

Install updates from vendor's website.

Sources

https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj
https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/

Improper access control in Grav Admin Plugin - CVE-2021-21425

Detailed vulnerability description

How to mitigate CVE-2021-21425

Sources

Please verify you're human