Main Vulnerability Database Vulnerabilities #VU52365

#VU52365 Improper access control in Grav Admin Plugin - CVE-2021-21425

Published: April 20, 2021 / Updated: November 15, 2024

Vulnerability identifier: #VU52365

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2021-21425

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Grav Admin Plugin

Software vendor:
Grav CMS

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can execute some methods of administrator controller without needing any credentials, leading to arbitrary YAML file creation or content change of existing YAML files on the system.

Remediation

Install updates from vendor's website.

External links

https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj
https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/

#VU52365 Improper access control in Grav Admin Plugin - CVE-2021-21425

Description

Remediation

External links

Please verify you're human