CVE-2024-28118 – This vulnerability in Grav CMS allows administr... (How to Fix)

Q: What is the severity of CVE-2024-28118?

CVE-2024-28118 has a CVSS score of 8.8 (HIGH). This vulnerability in Grav CMS allows administrative users to bypass SSTI mitigations and execute arbitrary code through Twig template processing. Attackers can gain elevated privileges and take full control of the instance. Only Grav instances with administrative users who can create/edit pages are affected.

📋 TL;DR

This vulnerability in Grav CMS allows administrative users to bypass SSTI mitigations and execute arbitrary code through Twig template processing. Attackers can gain elevated privileges and take full control of the instance. Only Grav instances with administrative users who can create/edit pages are affected.

💻 Affected Systems

Products:

Grav CMS

Versions: All versions prior to 1.7.45

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative user access to create/edit pages with Twig processing enabled in front matter.

📦 What is this software?

Grav by Getgrav

View all CVEs affecting Grav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with arbitrary code execution leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Administrative user exploits the vulnerability to gain full control of the Grav instance, potentially compromising sensitive content and user data.

🟢

If Mitigated

Limited to administrative users only, with proper access controls reducing attack surface to trusted personnel.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative credentials but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.45

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4

Restart Required: No

Instructions:

1. Backup your Grav installation. 2. Update to version 1.7.45 via package manager or manual download. 3. Clear cache if needed.

🔧 Temporary Workarounds

Disable Twig processing for non-trusted users

all

Restrict administrative privileges and disable Twig processing in page front matter for untrusted users.

🧯 If You Can't Patch

Restrict administrative access to only essential, trusted personnel
Implement network segmentation to isolate Grav instances from critical systems

🔍 How to Verify

Check if Vulnerable:

Check Grav version in admin panel or via CLI: php bin/grav version

Check Version:

php bin/grav version

Verify Fix Applied:

Confirm version is 1.7.45 or higher: php bin/grav version

📡 Detection & Monitoring

Log Indicators:

Unusual administrative activity
Unexpected page creation/editing with Twig content
System command execution in logs

Network Indicators:

Unexpected outbound connections from Grav server
Unusual HTTP requests to administrative endpoints

SIEM Query:

source="grav_logs" AND (event="page_edit" OR event="page_create") AND content CONTAINS "twig"

📊 Metadata

CVE ID: CVE-2024-28118

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: March 21, 2024

Last Updated: January 2, 2025

🔗 References

https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe Patch
https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4 Exploit,Vendor Advisory
https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe Patch
https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28118, you might also want to check these: