Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/66207?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/66207?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42%2B1", "type": "composer", "namespace": "getgrav", "name": "grav", "version": "1.7.42+1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.0.0-beta.4", "latest_non_vulnerable_version": "2.0.0-rc.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45692?format=api", "vulnerability_id": "VCID-ru55-uj84-p3dr", "summary": "Return of Wrong Status Code\nGrav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\\\`). The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\\` symbol is found in the `$name`. This vulnerability can be exploited if the attacker has access to: 1. an Administrator account, or 2. a non-administrator, user account that has Admin panel access and Create/Update page permissions. A fix for this vulnerability has been introduced in commit `b4c6210` and is included in release version `1.7.42.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37897", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30282", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30217", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30247", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37897" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b" }, { "reference_url": "https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37897", "reference_id": "CVE-2023-37897", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37897" }, { "reference_url": "https://github.com/advisories/GHSA-9436-3gmp-4f53", "reference_id": "GHSA-9436-3gmp-4f53", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9436-3gmp-4f53" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53", "reference_id": "GHSA-9436-3gmp-4f53", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66208?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/662910?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ps5-3k43-p3fa" }, { "vulnerability": "VCID-4a2z-37a3-2qaw" }, { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-7jaz-7xjc-kka1" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-a8y8-y4zt-zqbv" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-b41u-g5gk-jfbw" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-bwvg-jg4z-nyhp" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-yh73-zyju-vqge" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" }, { "vulnerability": "VCID-zg5t-uqx2-87fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42.2" } ], "aliases": [ "CVE-2023-37897", "GHSA-9436-3gmp-4f53" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ru55-uj84-p3dr" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42%252B1" }