{"url":"http://public2.vulnerablecode.io/api/packages/66207?format=json","purl":"pkg:composer/getgrav/grav@1.7.42%2B1","type":"composer","namespace":"getgrav","name":"grav","version":"1.7.42+1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.0-beta.4","latest_non_vulnerable_version":"2.0.0-rc.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45692?format=json","vulnerability_id":"VCID-ru55-uj84-p3dr","summary":"Return of Wrong Status Code\nGrav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\\\`). The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\\` symbol is found in the `$name`. This vulnerability can be exploited if the attacker has access to: 1. an Administrator account, or 2. a non-administrator, user account that has Admin panel access and Create/Update page permissions. A fix for this vulnerability has been introduced in commit `b4c6210` and is included in release version `1.7.42.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37897","reference_id":"","reference_type":"","scores":[{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30282","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30217","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30247","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37897"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/"}],"url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"},{"reference_url":"https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/"}],"url":"https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37897","reference_id":"CVE-2023-37897","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37897"},{"reference_url":"https://github.com/advisories/GHSA-9436-3gmp-4f53","reference_id":"GHSA-9436-3gmp-4f53","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9436-3gmp-4f53"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53","reference_id":"GHSA-9436-3gmp-4f53","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66208?format=json","purl":"pkg:composer/getgrav/grav@1.7.42%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/662910?format=json","purl":"pkg:composer/getgrav/grav@1.7.42.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ps5-3k43-p3fa"},{"vulnerability":"VCID-4a2z-37a3-2qaw"},{"vulnerability":"VCID-5kr2-3ywy-9kcn"},{"vulnerability":"VCID-6a4v-d3zb-67cq"},{"vulnerability":"VCID-6quf-qqqk-43a1"},{"vulnerability":"VCID-6tq3-4hkt-y3au"},{"vulnerability":"VCID-7jaz-7xjc-kka1"},{"vulnerability":"VCID-9j1y-z47y-xudz"},{"vulnerability":"VCID-9tu1-4n1t-6bgv"},{"vulnerability":"VCID-a375-aqzf-r7gw"},{"vulnerability":"VCID-a8df-4jgt-gba4"},{"vulnerability":"VCID-a8y8-y4zt-zqbv"},{"vulnerability":"VCID-aa7e-n85b-wbdm"},{"vulnerability":"VCID-abwg-zvc9-w7dq"},{"vulnerability":"VCID-agks-r1vd-u3d6"},{"vulnerability":"VCID-athb-nf3a-yyga"},{"vulnerability":"VCID-b41u-g5gk-jfbw"},{"vulnerability":"VCID-bafn-ne38-nucy"},{"vulnerability":"VCID-bhhz-z132-zkhb"},{"vulnerability":"VCID-bwvg-jg4z-nyhp"},{"vulnerability":"VCID-c9jy-y2dh-x3dg"},{"vulnerability":"VCID-e61c-rd9y-wyhs"},{"vulnerability":"VCID-egxp-rctq-xyh8"},{"vulnerability":"VCID-esjd-ztwe-c3h1"},{"vulnerability":"VCID-f3wx-5ayr-tqga"},{"vulnerability":"VCID-fmmu-r77k-c7g2"},{"vulnerability":"VCID-k8fd-bqpk-2qg8"},{"vulnerability":"VCID-kbnn-6uws-kqh9"},{"vulnerability":"VCID-p1u7-9mk4-fkcr"},{"vulnerability":"VCID-p5d4-8rvg-uqem"},{"vulnerability":"VCID-r2dh-em54-nyfz"},{"vulnerability":"VCID-rcyu-yu31-n7gu"},{"vulnerability":"VCID-rj4b-8dyu-juen"},{"vulnerability":"VCID-seer-x4fd-e7ge"},{"vulnerability":"VCID-ss11-shq5-qqae"},{"vulnerability":"VCID-tkxm-vt8p-tqgv"},{"vulnerability":"VCID-u7yn-d7uj-57bh"},{"vulnerability":"VCID-v8u1-nbxw-a7fr"},{"vulnerability":"VCID-v9n7-vann-6fa5"},{"vulnerability":"VCID-vm87-35gf-eyft"},{"vulnerability":"VCID-xj7v-ry9d-dfh1"},{"vulnerability":"VCID-y7vc-cx37-7ubs"},{"vulnerability":"VCID-yh73-zyju-vqge"},{"vulnerability":"VCID-ymnw-h6as-fbe5"},{"vulnerability":"VCID-zg5t-uqx2-87fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42.2"}],"aliases":["CVE-2023-37897","GHSA-9436-3gmp-4f53"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ru55-uj84-p3dr"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42%252B1"}