TANTO DOJO BLOG

Grav-ity of the situation: Unauthenticated Access to RCE in Grav CMS

In this blog post, critical security vulnerabilities discovered in Grav CMS are explored. Two out of four issues I reported have been assigned CVE-2024-27921 and CVE-2024-34082. By exploiting a combination of these vulnerabilities, an unauthenticated attacker can escalate privileges and execute code on the server. This blog post details how a manual source code review was performed to uncover these vulnerabilities, explaining their mechanisms and potential impact.

CVE-2024-27292: docAssembling exploits for RCE

This post examines CVE-2024-27292 in Docassemble, revealing an unauthenticated path traversal flaw that exposes sensitive files and secrets, leading to privilege escalation and template injection, enabling remote code execution. It details the vulnerability, its impact, and the exploitation steps.

Let our seasoned experts sharpen your cyber security. Call 1300 1 TANTO 82686 or send us a message.

CONTACT Let’s talk

Please include a little about the service you are after and what you need done. We will work with you to achieve the desired result.

Level 4, 350 Collins Street
MELBOURNE VIC
3000 AUSTRALIA

Level 1, 234 George Street
SYDNEY NSW
2000 AUSTRALIA

Please include a little about the service you are after and what you need done. We will work with you to achieve the desired result.

Read terms & conditions

Protected by reCAPTCHAv3

Protected by reCAPTCHAv3