Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-29440: getgrav/grav - Packagist

Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. The issue was addressed in version 1.7.11.

CVE
#web#windows#apache#redis#memcached#js#git#php#ssl

Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS

1.7.37.1 2022-10-05 21:06 UTC

Requires

  • php: ^7.3.6 || ^8.0
  • ext-curl: *
  • ext-dom: *
  • ext-gd: *
  • ext-json: *
  • ext-libxml: *
  • ext-openssl: *
  • ext-zip: *
  • composer/ca-bundle: ^1.2
  • composer/semver: ^1.4
  • doctrine/cache: ^1.10
  • doctrine/collections: ^1.6
  • donatj/phpuseragentparser: ~1.1
  • dragonmantank/cron-expression: ^1.2
  • erusev/parsedown: ^1.7
  • erusev/parsedown-extra: ~0.8
  • filp/whoops: ~2.9
  • getgrav/cache: ^2.0
  • getgrav/image: ^3.0
  • guzzlehttp/psr7: ^1.7
  • itsgoingd/clockwork: ^5.0
  • league/climate: ^3.6
  • matthiasmullie/minify: ^1.3
  • maximebf/debugbar: ~1.16
  • miljar/php-exif: ^0.6
  • monolog/monolog: ~1.25
  • multiavatar/multiavatar-php: ^1.0
  • nyholm/psr7: ^1.3
  • nyholm/psr7-server: ^1.0
  • pimple/pimple: ~3.5.0
  • psr/container: ~1.1.0
  • psr/http-message: ^1.0
  • psr/http-server-middleware: ^1.0
  • psr/simple-cache: ^1.0
  • rhukster/dom-sanitizer: ^1.0
  • rockettheme/toolbox: ~1.5
  • symfony/console: ~4.4
  • symfony/contracts: ~1.1
  • symfony/event-dispatcher: ~4.4
  • symfony/http-client: ^4.4
  • symfony/polyfill-iconv: ^1.23
  • symfony/polyfill-mbstring: ~1.23
  • symfony/polyfill-php74: ^1.23
  • symfony/polyfill-php80: ^1.23
  • symfony/polyfill-php81: ^1.23
  • symfony/process: ~4.4
  • symfony/var-dumper: ~4.4
  • symfony/yaml: ~4.4
  • twig/twig: ~v1.44
  • willdurand/negotiation: ^3.0

Requires (Dev)

  • codeception/codeception: ^4.1
  • codeception/module-asserts: ^1.3
  • codeception/module-phpbrowser: ^1.0
  • getgrav/markdowndocs: ^2.0
  • phpstan/phpstan: ^1.8
  • phpstan/phpstan-deprecation-rules: ^1.0
  • phpunit/php-code-coverage: ~9.2
  • symfony/service-contracts: *

Suggests

  • ext-exif: Needed to use exif data from images.

  • ext-iconv: Recommended for better performance

  • ext-intl: Recommended for multi-language sites

  • ext-mbstring: Recommended for better performance

  • ext-memcache: Needed to support Memcache servers

  • ext-memcached: Needed to support Memcached servers

  • ext-redis: Needed to support Redis servers

  • ext-zend-opcache: Recommended for better performance

  • dev-develop / 1.x-dev

  • 1.7.37.1

  • 1.7.37

  • 1.7.36

  • 1.7.35

  • 1.7.34

  • 1.7.33

  • 1.7.32

  • 1.7.31

  • 1.7.30

  • 1.7.29.1

  • 1.7.29

  • 1.7.28

  • 1.7.27.1

  • 1.7.27

  • 1.7.26.1

  • 1.7.26

  • 1.7.25

  • 1.7.24

  • 1.7.23

  • 1.7.22

  • 1.7.21

  • 1.7.20

  • 1.7.19

  • 1.7.18

  • 1.7.17

  • 1.7.16

  • 1.7.15

  • 1.7.14

  • 1.7.13

  • 1.7.12

  • 1.7.10

  • 1.7.9

  • 1.7.8

  • 1.7.7

  • 1.7.6

  • 1.7.5

  • 1.7.4

  • 1.7.3

  • 1.7.1

  • 1.7.0

  • 1.7.0-rc.20

  • 1.7.0-rc.19

  • 1.7.0-rc.18

  • 1.7.0-rc.17

  • 1.7.0-rc.16

  • 1.7.0-rc.15

  • 1.7.0-rc.14

  • 1.7.0-rc.13

  • 1.7.0-rc.12

  • 1.7.0-rc.11

  • 1.7.0-rc.10

  • 1.7.0-rc.9

  • 1.7.0-rc.8

  • 1.7.0-rc.7

  • 1.7.0-rc.6

  • 1.7.0-rc.5

  • 1.7.0-rc.4

  • 1.7.0-rc.3

  • 1.7.0-rc.2

  • 1.7.0-rc.1

  • 1.7.0-beta.10

  • 1.7.0-beta.9

  • 1.7.0-beta.8

  • 1.7.0-beta.7

  • 1.7.0-beta.6

  • 1.7.0-beta.5

  • 1.7.0-beta.4

  • 1.7.0-beta.3

  • 1.7.0-beta.2

  • 1.7.0-beta.1

  • 1.6.x-dev

  • 1.6.31

  • 1.6.30

  • 1.6.29

  • 1.6.28

  • 1.6.27

  • 1.6.26

  • 1.6.25

  • 1.6.24

  • 1.6.23

  • 1.6.22

  • 1.6.21

  • 1.6.20

  • 1.6.19

  • 1.6.18

  • 1.6.17

  • 1.6.16

  • 1.6.15

  • 1.6.14

  • 1.6.13

  • 1.6.12

  • 1.6.11

  • 1.6.10

  • 1.6.9

  • 1.6.8

  • 1.6.7

  • 1.6.6

  • 1.6.5

  • 1.6.4

  • 1.6.3

  • 1.6.2

  • 1.6.1

  • 1.6.0

  • 1.6.0-rc.4

  • 1.6.0-rc.3

  • 1.6.0-rc.2

  • 1.6.0-rc.1

  • 1.6.0-beta.8

  • 1.6.0-beta.7

  • 1.6.0-beta.6

  • 1.6.0-beta.5

  • 1.6.0-beta.4

  • 1.6.0-beta.3

  • 1.6.0-beta.2

  • 1.6.0-beta.1

  • 1.5.10

  • 1.5.9

  • 1.5.8

  • 1.5.7

  • 1.5.6

  • 1.5.5

  • 1.5.4

  • 1.5.3

  • 1.5.2

  • 1.5.1

  • 1.5.0

  • 1.5.0-rc.1

  • 1.5.0-beta.2

  • 1.5.0-beta.1

  • 1.4.8

  • 1.4.7

  • 1.4.6

  • 1.4.5

  • 1.4.4

  • 1.4.3

  • 1.4.2

  • 1.4.1

  • 1.4.0

  • 1.4.0-rc.2

  • 1.4.0-rc.1

  • 1.4.0-beta.3

  • 1.4.0-beta.2

  • 1.4.0-beta.1

  • 1.3.10

  • 1.3.9

  • 1.3.8

  • 1.3.7

  • 1.3.6

  • 1.3.5

  • 1.3.4

  • 1.3.3

  • 1.3.2

  • 1.3.1

  • 1.3.0

  • 1.3.0-rc.5

  • 1.3.0-rc.4

  • 1.3.0-rc.3

  • 1.3.0-rc.2

  • 1.3.0-rc.1

  • 1.2.4

  • 1.2.3

  • 1.2.2

  • 1.2.1

  • 1.2.0

  • 1.2.0-rc.3

  • 1.2.0-rc.2

  • 1.2.0-rc.1

  • 1.1.17

  • 1.1.16

  • 1.1.15

  • 1.1.14

  • 1.1.13

  • 1.1.12

  • 1.1.11

  • 1.1.10

  • 1.1.9

  • 1.1.9-rc.3

  • 1.1.9-rc.2

  • 1.1.9-rc.1

  • 1.1.8

  • 1.1.7

  • 1.1.6

  • 1.1.5

  • 1.1.4

  • 1.1.3

  • 1.1.2

  • 1.1.1

  • 1.1.0

  • 1.1.0-rc.3

  • 1.1.0-rc.2

  • 1.1.0-rc.1

  • 1.1.0-beta.5

  • 1.1.0-beta.4

  • 1.1.0-beta.3

  • 1.1.0-beta.2

  • 1.1.0-beta.1

  • 1.0.10

  • 1.0.9

  • 1.0.8

  • 1.0.7

  • 1.0.6

  • 1.0.5

  • 1.0.4

  • 1.0.3

  • 1.0.2

  • 1.0.1

  • 1.0.0

  • 1.0.0-rc.6

  • 1.0.0-rc.5

  • 1.0.0-rc.4

  • 1.0.0-rc.3

  • 1.0.0-rc.2

  • 1.0.0-rc.1

  • 0.9.45

  • 0.9.44

  • 0.9.43

  • 0.9.42

  • 0.9.41

  • 0.9.40

  • 0.9.39

  • 0.9.38

  • 0.9.37

  • 0.9.36

  • 0.9.35

  • 0.9.34

  • 0.9.33

  • 0.9.32

  • 0.9.31

  • 0.9.30

  • 0.9.29

  • 0.9.28

  • 0.9.27

  • 0.9.26

  • 0.9.25

  • 0.9.24

  • 0.9.23

  • 0.9.22

  • 0.9.21

  • 0.9.20

  • 0.9.19

  • 0.9.18

  • 0.9.17

  • 0.9.16

  • 0.9.15

  • 0.9.14

  • 0.9.13

  • 0.9.12

  • 0.9.11

  • 0.9.10

  • 0.9.9

  • 0.9.8

  • 0.9.7

  • 0.9.6

  • 0.9.5

  • 0.9.4

  • 0.9.3

  • 0.9.2

  • 0.9.1

  • 0.9.0

  • 0.8.0

  • dev-master

  • dev-feature/multiple-page-paths

  • dev-feature/media

  • dev-feature/v1.8

  • dev-feature/multiavatar

  • dev-feature/js-module-assets

  • dev-feature/php-81

  • dev-feature/watermark

  • dev-build_test

  • dev-feature/clockwork-5.0

  • dev-ricardo-patch-noprocess

  • dev-feature/httpclient

  • dev-ricardo-patch-menu

  • dev-feature/clockwork-4.0

  • dev-feature/parsedown-1.8-compatibility

This package is auto-updated.

Last update: 2022-10-26 00:20:21 UTC

README

Grav is a Fast, Simple, and Flexible, file-based Web-platform. There is Zero installation required. Just extract the ZIP archive, and you are already up and running. It follows similar principles to other flat-file CMS platforms, but has a different design philosophy than most. Grav comes with a powerful Package Management System to allow for simple installation and upgrading of plugins and themes, as well as simple updating of Grav itself.

The underlying architecture of Grav is designed to use well-established and best-in-class technologies to ensure that Grav is simple to use and easy to extend. Some of these key technologies include:

  • Twig Templating: for powerful control of the user interface
  • Markdown: for easy content creation
  • YAML: for simple configuration
  • Parsedown: for fast Markdown and Markdown Extra support
  • Doctrine Cache: layer for performance
  • Pimple Dependency Injection Container: for extensibility and maintainability
  • Symfony Event Dispatcher: for plugin event handling
  • Symfony Console: for CLI interface
  • Gregwar Image Library: for dynamic image manipulation

Requirements

  • PHP 7.3.6 or higher. Check the required modules list
  • Check the Apache or IIS requirements

Documentation

The full documentation can be found from learn.getgrav.org.

QuickStart

These are the options to get Grav:

Downloading a Grav Package

You can download a ready-built package from the Downloads page on https://getgrav.org

With Composer

You can create a new project with the latest stable Grav release with the following command:

$ composer create-project getgrav/grav ~/webroot/grav

From GitHub

  1. Clone the Grav repository from https://github.com/getgrav/grav to a folder in the webroot of your server, e.g. ~/webroot/grav. Launch a terminal or console and navigate to the webroot folder:

    $ cd ~/webroot
    $ git clone https://github.com/getgrav/grav.git
    
  2. Install the plugin and theme dependencies by using the Grav CLI application bin/grav:

    $ cd ~/webroot/grav
    $ bin/grav install
    

Check out the install procedures for more information.

Adding Functionality

You can download plugins or themes manually from the appropriate tab on the Downloads page on https://getgrav.org, but the preferred solution is to use the Grav Package Manager or GPM:

$ bin/gpm index

This will display all the available plugins and then you can install one or more with:

$ bin/gpm install <plugin/theme>

Updating

To update Grav you should use the Grav Package Manager or GPM:

$ bin/gpm selfupgrade

To update plugins and themes:

$ bin/gpm update

Upgrading from older version

  • Upgrading to Grav 1.7
  • Upgrading to Grav 1.6
  • Upgrading from Grav <1.6

Contributing

We appreciate any contribution to Grav, whether it is related to bugs, grammar, or simply a suggestion or improvement! Please refer to the Contributing guide for more guidance on this topic.

Security issues

If you discover a possible security issue related to Grav or one of its plugins, please email the core team at [email protected] and we’ll address it as soon as possible.

Getting Started

  • What is Grav?
  • Install Grav in few seconds
  • Understand the Configuration
  • Take a peek at our available free Skeletons
  • If you have questions, jump on our Discord Chat Server!
  • Have fun!

Exploring More

  • Have a look at our Basic Tutorial
  • Dive into more advanced functions
  • Learn about the Grav CLI
  • Review examples in the Grav Cookbook
  • More Awesome Grav Stuff

Backers

Support Grav with a monthly donation to help us continue development. [Become a backer]

Supporters

Support Grav with a monthly donation to help us continue development. [Become a supporter]

Sponsors

Support Grav with a yearly donation to help us continue development. [Become a sponsor]

License

See LICENSE

Running Tests

First install the dev dependencies by running composer install from the Grav root.

Then composer test will run the Unit Tests, which should be always executed successfully on any site. Windows users should use the composer test-windows command. You can also run a single unit test file, e.g. composer test tests/unit/Grav/Common/AssetsTest.php

To run phpstan tests, you should run:

  • composer phpstan for global tests
  • composer phpstan-framework for more strict tests
  • composer phpstan-plugins to test all installed plugins

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907