CVE-2023-34251: 
PHP vulnerability analysis and mitigation

Grav, a flat-file content management system, was found to contain a critical Server Side Template Injection (SSTI) vulnerability (CVE-2023-34251) affecting versions prior to 1.7.42. The vulnerability was discovered and reported through GitHub's Bug Bounty program by security researcher scgajge12. This vulnerability allows remote code execution by embedding malicious PHP code on the administrator screen by users with page editing privileges (GitHub Advisory).

The vulnerability is classified as a Server Side Template Injection (SSTI) with a CVSS v3.1 base score of 9.9 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) according to GitHub's assessment, while NVD rates it at 7.2 HIGH. The vulnerability is tracked as CWE-94 (Improper Control of Generation of Code) and affects the Twig template engine implementation in Grav CMS (NVD).

When exploited, this vulnerability allows attackers with page editing privileges to execute arbitrary system commands through the administrator interface. This could lead to complete system compromise, allowing attackers to access sensitive data, modify system files, and potentially gain full control over the affected server (GitHub Advisory).

The vulnerability has been patched in Grav version 1.7.42. Users are strongly advised to upgrade to this version or later to protect against this security issue. The fix includes additional validation for the Twig map filter to prevent execution of dangerous functions (Grav Commit).