https://feed.craftedsignal.io/vendors/grav/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-grav-rce/Tue, 09 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-grav-rce/Multiple critical and high severity remote code execution vulnerabilities exist in Grav CMS due to unsafe unserialize functions, command injection in git clone, and an SSTI blocklist bypass, impacting versions prior to 2.0.0-beta.2.Multiple remote code execution (RCE) vulnerabilities have been identified in Grav CMS, a flat-file content management system. These vulnerabilities, including unsafe unserialize functions in JobQueue, FileCache, and Session, a command injection in git clone, and a server-side template injection (SSTI) blocklist bypass, allow attackers to execute arbitrary code on affected systems. The vulnerabilities are present in Grav CMS versions prior to 2.0.0-beta.2 and were patched in commit c66dfeb5f and 38685ac25. Successful exploitation of these vulnerabilities could lead to complete system compromise, data theft, and disruption of service. The most concerning are the unserialize issues, as they do not require admin access and can be triggered by any file write primitive.

Attack Chain

1. An attacker gains the ability to write files to the Grav CMS server, either through an existing vulnerability (e.g., file upload) or misconfiguration.
2. The attacker crafts a serialized PHP object containing malicious code.
3. For JobQueue or FileCache exploitation, the attacker writes this serialized object to the appropriate cache file location. For Session exploitation, the attacker sets a crafted serialized object within a session variable.
4. The Grav CMS application deserializes the crafted object using unserialize(), without proper input validation.
5. The deserialization process instantiates the malicious object, triggering the execution of arbitrary code. Specifically, the JobQueue vulnerability allows direct RCE via Job::exec → call_user_func_array.
6. For the git clone command injection, an administrator attempts to install a malicious plugin or theme. The attacker injects commands into the branch, url, or path parameters within the plugin’s or theme’s configuration.
7. The InstallCommand.php script executes a git clone command, incorporating the attacker-controlled parameters without proper sanitization.
8. The injected commands are executed on the server, granting the attacker arbitrary code execution.

Impact

Successful exploitation of these vulnerabilities can lead to complete system compromise. An attacker could gain unauthorized access to sensitive data, modify website content, install backdoors, or use the compromised server as a launchpad for further attacks. The unserialize vulnerabilities are especially critical as they do not require administrative privileges if an attacker can write to the cache directory. The impact includes potential data theft, service disruption, and reputational damage.

Recommendation

• Upgrade Grav CMS to version 2.0.0-beta.2 or later to patch the vulnerabilities described in this brief.
• Implement the Sigma rule Detect Unsafe PHP Unserialize to identify attempts to exploit the unserialize vulnerabilities in web server logs.
• Review and harden file upload and file management functionalities to prevent unauthorized file writes to the Grav CMS server.
• Monitor process creation events for git commands executed by the web server user, using the Sigma rule Detect Git Clone Command Injection.

]]>criticalthreatrceunserializecommand-injectionsstihttps://feed.craftedsignal.io/briefs/2024-01-grav-privesc/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-grav-privesc/Unauthenticated users can escalate privileges to admin in Grav CMS by manipulating registration data due to missing server-side validation in the Login plugin.A critical privilege escalation vulnerability exists in the Grav CMS Login plugin, version 3.8.0, affecting Grav Core versions prior to 2.0.0-beta.2. The vulnerability stems from the Login::register() method not validating the groups and access fields during user registration. If registration is enabled and these fields are included in the allowed registration fields, an unauthenticated user can craft a malicious registration request to assign themselves admin privileges. This can lead to complete compromise of the Grav CMS instance, allowing attackers to modify content, install malicious plugins, and potentially execute arbitrary code. The vulnerability is tracked as CVE-2026-42613. The fix was applied on 2026-04-24 and released in grav-plugin-login 3.8.2.

Attack Chain

1. The attacker identifies a Grav CMS instance with user registration enabled and the groups or access fields included in the allowed registration fields.
2. The attacker crafts a malicious HTTP POST request to the /user_register endpoint, including username, password, email, and fullname fields.
3. The attacker injects groups and access fields into the POST request with values designed to grant admin privileges (e.g., groups[]=admins, access[admin][super]=true).
4. The Login::register() method processes the registration data without proper validation of the injected groups and access fields.
5. The attacker-controlled groups and access values are assigned directly to the newly created user object.
6. The user object is saved, creating a new user account with admin privileges in the user/accounts/ directory.
7. The attacker logs in to the Grav admin panel using the newly created account.
8. The attacker leverages their admin access to install malicious plugins or execute arbitrary code on the server, achieving complete system compromise.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers full administrative access to the Grav CMS instance. This can lead to complete website defacement, data exfiltration, or remote code execution. Since no victim count or specific sector targeting is mentioned in the advisory, we can assume any Grav instance with the vulnerable configuration is at risk, potentially impacting numerous websites and organizations relying on Grav CMS.

Recommendation

• Upgrade to grav-plugin-login version 3.8.2 or later to patch CVE-2026-42613.
• If upgrading is not immediately feasible, remove groups and access from the allowed registration fields in the Login plugin configuration.
• Deploy the Sigma rule Detect Malicious Grav User Registration to identify registration attempts with injected admin privileges based on user-registration requests.
• Monitor web server logs for POST requests to the /user_register endpoint containing groups or access parameters using the Grav Registration Attempt with Group/Access Parameters Sigma rule.

]]>criticaladvisorygravprivilege-escalationweb