Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2021-21425

Published: 07/04/2021 Updated: 24/10/2022
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Getgrav

Vulnerability Summary

Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and previous versions, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

getgrav grav-plugin-admin

Github Repositories

https://github.com/frknktlca/GravCMS_Nmap_Script

It is a nmap script for GravCMS vulnerability (CVE-2021-21425)

GravCMS_Nmap_Script It is a nmap script for GravCMS vulnerability (CVE-2021-21425) USAGE -- nmap -p443 --script grav_cmsnse -- PORT STATE SERVICE -- 443/tcp open https -- | grav_cms: -- | VULNERABLE: -- | GravCMS (CVE-2021-21425) -- | State: VULNERABLE (Exploitable) -- | IDs: CVE:CVE-2021-21425 -- | GravCMS Unauthenticated Arbitrary YAML Write/Update le

https://github.com/CsEnox/CVE-2021-21425

GravCMS Unauthenticated Arbitrary YAML Write/Update leads to Code Execution (CVE-2021-21425)

CVE-2021-21425 GravCMS Unauthenticated Arbitrary YAML Write/Update leads to Code Execution (CVE-2021-21425) Reference : pentestblog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/

References

NVD-CWE-Otherhttps://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pjhttp://packetstormsecurity.com/files/162283/GravCMS-1.10.7-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162457/GravCMS-1.10.7-Remote-Command-Execution.htmlhttps://nvd.nist.govhttps://github.com/frknktlca/GravCMS_Nmap_Script
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-22120CVE-2024-35921CVE-2024-35874brute forceCVE-2024-36080unprivilegedCVE-2024-35917IDORCVE-2024-4947
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook