CVE-2024-27921 – Grav CMS versions before 1.7.45 contain a file ... (How to Fix)

Q: What is the severity of CVE-2024-27921?

CVE-2024-27921 has a CVSS score of 8.8 (HIGH). Grav CMS versions before 1.7.45 contain a file upload path traversal vulnerability that allows attackers to upload malicious files to arbitrary locations on the server. This can lead to remote code execution, data exfiltration, and system compromise. All Grav CMS installations prior to version 1.7.45 are affected.

📋 TL;DR

Grav CMS versions before 1.7.45 contain a file upload path traversal vulnerability that allows attackers to upload malicious files to arbitrary locations on the server. This can lead to remote code execution, data exfiltration, and system compromise. All Grav CMS installations prior to version 1.7.45 are affected.

💻 Affected Systems

Products:

Grav CMS

Versions: All versions prior to 1.7.45

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any Grav installation with file upload functionality enabled is vulnerable.

📦 What is this software?

Grav by Getgrav

View all CVEs affecting Grav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via arbitrary code execution, complete data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Website defacement, data theft via CSS exfiltration, and backup file corruption.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewall rules in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in file upload handling and requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.45

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc

Restart Required: No

Instructions:

1. Backup your Grav installation. 2. Update Grav to version 1.7.45 or later via the admin panel or command line. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable file uploads

all

Temporarily disable all file upload functionality in Grav CMS

Edit Grav configuration to remove file upload permissions

Web Application Firewall rules

all

Block path traversal patterns in file upload requests

Add WAF rules to detect and block '../' sequences in file upload parameters

🧯 If You Can't Patch

Implement strict file upload validation to reject any filenames containing path traversal sequences
Deploy a web application firewall with rules specifically targeting path traversal in file uploads

🔍 How to Verify

Check if Vulnerable:

Check Grav version in admin panel or via CLI: php bin/grav version

Check Version:

php bin/grav version

Verify Fix Applied:

Confirm version is 1.7.45 or higher: php bin/grav version

📡 Detection & Monitoring

Log Indicators:

File upload requests containing '../' sequences
Unexpected file creation in system directories
Multiple failed upload attempts with suspicious filenames

Network Indicators:

HTTP POST requests to upload endpoints with path traversal payloads
Unusual file extensions being uploaded to Grav

SIEM Query:

source="web_logs" AND (uri_path="*admin*" OR uri_path="*upload*") AND request_body MATCHES "\.\./"

📊 Metadata

CVE ID: CVE-2024-27921

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: March 21, 2024

Last Updated: January 2, 2025

🔗 References

https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99 Patch
https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc Exploit,Vendor Advisory
https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99 Patch
https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27921, you might also want to check these: