CVE-2023-34253

Name: CVE-2023-34253
Creator: NVD / NIST
Published: 2023-06-14T23:15:11.037+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.2/10EPSS 2.07%

Last modified Jun 17, 2026

CVE-2023-34253 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. EPSS estimates a 2.07% chance of exploitation in the next 30 days.

Description

Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.

Metrics

CVSS 3.1

7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.07%

79.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Getgrav	Grav	< 1.7.42

References

https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190Issue Tracking
https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1bPatch
https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgmExploit, Vendor Advisory
https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/Exploit, Third Party Advisory
https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83Patch
https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190Issue Tracking
https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1bPatch
https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgmExploit, Vendor Advisory
https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/Exploit, Third Party Advisory
https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83Patch

Timeline

Published: Jun 14, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-34253?

How severe is CVE-2023-34253?

CVE-2023-34253 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 2.07% probability of exploitation in the next 30 days.

How do I fix CVE-2023-34253?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-34253?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST