CVE-2024-28116 – Grav CMS versions before 1.7.45 contain a Serve... (How to Fix)

Q: What is the severity of CVE-2024-28116?

CVE-2024-28116 has a CVSS score of 8.8 (HIGH). Grav CMS versions before 1.7.45 contain a Server-Side Template Injection vulnerability that allows authenticated users with editor permissions to execute arbitrary code on the server, bypassing security sandbox protections. This affects all Grav CMS installations running vulnerable versions. Attackers can achieve remote code execution with authenticated access.

📋 TL;DR

Grav CMS versions before 1.7.45 contain a Server-Side Template Injection vulnerability that allows authenticated users with editor permissions to execute arbitrary code on the server, bypassing security sandbox protections. This affects all Grav CMS installations running vulnerable versions. Attackers can achieve remote code execution with authenticated access.

💻 Affected Systems

Products:

Grav CMS

Versions: All versions prior to 1.7.45

Operating Systems: All platforms running Grav CMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with editor permissions or higher. Default Grav installations with user accounts are vulnerable.

📦 What is this software?

Grav by Getgrav

View all CVEs affecting Grav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, install malware, steal data, or pivot to other systems.

🟠

Likely Case

Authenticated attackers gaining shell access, installing backdoors, defacing websites, or exfiltrating sensitive data.

🟢

If Mitigated

Limited impact if strong authentication controls, network segmentation, and least privilege principles are enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. Public exploit details are available in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.45

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh

Restart Required: No

Instructions:

1. Backup your Grav installation and database. 2. Update Grav CMS to version 1.7.45 or later using the Grav GPM command: 'bin/gpm selfupgrade' followed by 'bin/gpm update'. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict User Access

all

Temporarily disable or restrict editor-level user accounts until patching can be completed.

Edit user accounts configuration to remove editor permissions

Web Application Firewall Rules

all

Implement WAF rules to block SSTI payload patterns in user input.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Grav CMS from critical systems
Enforce multi-factor authentication and review all user accounts with editor permissions

🔍 How to Verify

Check if Vulnerable:

Check Grav version by running 'bin/gpm version' or checking the Grav admin panel. If version is below 1.7.45, the system is vulnerable.

Check Version:

bin/gpm version

Verify Fix Applied:

After updating, confirm version is 1.7.45 or higher using 'bin/gpm version'. Test editor functionality to ensure normal operations.

📡 Detection & Monitoring

Log Indicators:

Unusual template file modifications
Suspicious PHP/execution patterns in logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unexpected outbound connections from Grav server
Unusual payloads in POST requests to admin endpoints

SIEM Query:

source="grav_logs" AND ("template injection" OR "eval(" OR "system(" OR suspicious_execution_patterns)

📊 Metadata

CVE ID: CVE-2024-28116

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: March 21, 2024

Last Updated: January 2, 2025

🔗 References

https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e Patch
https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh Exploit,Vendor Advisory
https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e Patch
https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28116, you might also want to check these: