https://feed.craftedsignal.io/vendors/getgrav/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 30 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-30-grav-filecache-deserialization/Tue, 30 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-30-grav-filecache-deserialization/Grav versions 1.7.44 through 1.7.49.5 are vulnerable to insecure deserialization in the File Cache component, where the `unserialize` function with `allowed_classes => true` can lead to arbitrary code execution if an attacker tampers with cache files.Grav, a flat-file CMS, versions 1.7.44 through 1.7.49.5 are susceptible to an insecure deserialization vulnerability within the FileCache component. Specifically, the unserialize() function in system/src/Grav/Framework/Cache/Adapter/FileCache.php utilizes the allowed_classes => true option, which permits the instantiation of arbitrary classes without any restrictions. This vulnerability can be exploited if an attacker gains the ability to tamper with or poison the cache files used by Grav. By injecting malicious serialized objects into these cache files, an attacker can trigger the execution of arbitrary code when the application attempts to deserialize the tampered cache data. This issue was reported on May 5th, 2026. A fix has been implemented in Grav core on the 2.0 branch (commit c66dfeb5f), set to be included in version 2.0.0-beta.2. This fix introduces HMAC signing and verification to ensure the integrity of cache payloads.

Attack Chain

1. The attacker gains access to the Grav server’s filesystem with write privileges to the cache directory.
2. The attacker crafts a malicious PHP object that, when unserialized, will execute arbitrary code. This payload could leverage existing classes or magic methods like __wakeup() to achieve code execution.
3. The attacker serializes the malicious PHP object using the serialize() function.
4. The attacker overwrites an existing cache file or creates a new one containing the serialized payload in the Grav cache directory (location varies based on configuration, but default is often in cache/).
5. The Grav application attempts to read the tampered cache file using the FileCache::doGet() function.
6. The unserialize($value, ['allowed_classes' => true]) function is called on the tampered cache data.
7. The malicious PHP object is deserialized, triggering the execution of the attacker’s code.
8. The attacker achieves arbitrary code execution on the Grav server, potentially leading to full system compromise, data exfiltration, or further malicious activities.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the Grav server. This can lead to complete system compromise, data exfiltration, defacement of websites, or the installation of backdoors for persistent access. Given that Grav is a CMS, this can impact any website or application built on the platform. The number of potential victims is dependent on the number of Grav installations running the vulnerable versions (1.7.44 - 1.7.49.5) and the attacker’s ability to access and modify the cache files.

Recommendation

• Upgrade to Grav version 2.0.0-beta.2 or later, where the vulnerability is addressed with HMAC signing of cache payloads, as detailed in commit c66dfeb5f.
• Monitor file system access, particularly writes to the cache directory, for suspicious activity. Consider deploying file integrity monitoring tools to detect unauthorized modifications to cache files.
• If upgrading is not immediately feasible, implement strict access controls to the cache directory to prevent unauthorized write access.
• Review and audit any plugins or custom code that utilize the Grav\Framework\Cache\Adapter\FileCache class, ensuring they are not susceptible to cache poisoning attacks.
• Implement the provided PoC locally to validate your exposure and test the effectiveness of mitigations.

]]>highadvisoryinsecure-deserializationcode-executiongravweb-applicationhttps://feed.craftedsignal.io/briefs/2024-01-grav-api-privesc/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-grav-api-privesc/A privilege escalation vulnerability in the Grav API plugin allows authenticated users with basic API access to elevate their privileges to Super Administrator, leading to full system compromise and potential remote code execution.A critical vulnerability exists within the Grav API plugin (composer/getgrav/grav-plugin-api) versions prior to 1.0.0-beta.15. This vulnerability, identified as CVE-2026-42843, allows any authenticated user with the api.access permission to escalate their privileges to Super Administrator. The flaw is due to an insecure direct object reference and logic error in the UsersController::update method, specifically in how user permissions are updated via the API. By sending a crafted PATCH request, a low-privileged user can modify their own access control list (ACL) to include admin.super and api.super permissions. Successful exploitation grants the attacker full control over the Grav CMS instance.

Attack Chain

1. Attacker obtains a low-privileged user account with api.access permission on the Grav CMS.
2. The attacker authenticates to the Grav API using the obtained credentials to receive a valid JWT access token via a POST request to /api/v1/auth/token.
3. The attacker crafts a malicious PATCH request to the /api/v1/users/{username} endpoint, targeting their own username.
4. The PATCH request includes a JSON payload that modifies the user’s access field, specifically setting admin.super and api.super to true. For example: {"access":{"admin":{"login":true,"super":true},"api":{"access":true,"super":true},"site":{"login":true}}}.
5. The attacker sends the crafted PATCH request to the target Grav CMS instance, including the JWT access token in the X-API-Token header.
6. The vulnerable UsersController::update method in user/plugins/api/classes/Api/Controllers/UsersController.php processes the request without properly validating the user’s authority to modify their own permissions.
7. The user’s access field is updated with the malicious payload, granting them Super Administrator privileges.
8. The attacker logs into the Grav Admin panel using the compromised user credentials and now has full control over the Grav CMS, able to modify content, install plugins, and potentially execute arbitrary code.

Impact

This privilege escalation vulnerability (CVE-2026-42843) allows any low-privileged user to gain complete control over a Grav CMS instance. An attacker can modify website content, inject malicious code, install backdoors, and potentially achieve remote code execution (RCE) on the underlying server by modifying Twig templates. This can lead to data breaches, website defacement, and complete compromise of the affected system.

Recommendation

• Upgrade the composer/getgrav/grav-plugin-api package to version 1.0.0-beta.15 or later to patch CVE-2026-42843.
• Deploy the Sigma rule “Detect Grav API User Permission Escalation Attempt” to identify attempted exploitation of this vulnerability by monitoring for PATCH requests to /api/v1/users/ with modified access parameters.

]]>highadvisoryprivilege-escalationweb-applicationgrav