CVE-2024-28118: Server Side Template Injection (SSTI)

March 22, 2024 (updated January 3, 2025)

Due to the unrestricted access to twig extension class from grav context, an attacker can redefine config variable. As a result, attacker can bypass previous patch.

References

github.com/advisories/GHSA-r6vw-8v8r-pmp4
github.com/getgrav/grav
github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4
nvd.nist.gov/vuln/detail/CVE-2024-28118

Code Behaviors & Features

Detect and mitigate CVE-2024-28118 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →