The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
{
"unresolved_ranges": [
{
"vendor_product": "getgrav:grav_cms",
"cpes": [
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta10:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta3:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta4:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta5:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta6:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta7:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta8:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:beta9:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc10:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc11:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc12:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc13:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc14:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc15:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc16:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc17:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc20:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc2:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc3:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc4:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc5:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc6:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc7:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc8:*:*:*:*:*:*",
"cpe:2.3:a:getgrav:grav_cms:1.7.0:rc9:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "1.7.0-beta1"
},
{
"last_affected": "1.7.0-beta1"
},
{
"introduced": "1.7.0-beta10"
},
{
"last_affected": "1.7.0-beta10"
},
{
"introduced": "1.7.0-beta2"
},
{
"last_affected": "1.7.0-beta2"
},
{
"introduced": "1.7.0-beta3"
},
{
"last_affected": "1.7.0-beta3"
},
{
"introduced": "1.7.0-beta4"
},
{
"last_affected": "1.7.0-beta4"
},
{
"introduced": "1.7.0-beta5"
},
{
"last_affected": "1.7.0-beta5"
},
{
"introduced": "1.7.0-beta6"
},
{
"last_affected": "1.7.0-beta6"
},
{
"introduced": "1.7.0-beta7"
},
{
"last_affected": "1.7.0-beta7"
},
{
"introduced": "1.7.0-beta8"
},
{
"last_affected": "1.7.0-beta8"
},
{
"introduced": "1.7.0-beta9"
},
{
"last_affected": "1.7.0-beta9"
},
{
"introduced": "1.7.0-rc1"
},
{
"last_affected": "1.7.0-rc1"
},
{
"introduced": "1.7.0-rc10"
},
{
"last_affected": "1.7.0-rc10"
},
{
"introduced": "1.7.0-rc11"
},
{
"last_affected": "1.7.0-rc11"
},
{
"introduced": "1.7.0-rc12"
},
{
"last_affected": "1.7.0-rc12"
},
{
"introduced": "1.7.0-rc13"
},
{
"last_affected": "1.7.0-rc13"
},
{
"introduced": "1.7.0-rc14"
},
{
"last_affected": "1.7.0-rc14"
},
{
"introduced": "1.7.0-rc15"
},
{
"last_affected": "1.7.0-rc15"
},
{
"introduced": "1.7.0-rc16"
},
{
"last_affected": "1.7.0-rc16"
},
{
"introduced": "1.7.0-rc17"
},
{
"last_affected": "1.7.0-rc17"
},
{
"introduced": "1.7.0-rc2"
},
{
"last_affected": "1.7.0-rc2"
},
{
"introduced": "1.7.0-rc20"
},
{
"last_affected": "1.7.0-rc20"
},
{
"introduced": "1.7.0-rc3"
},
{
"last_affected": "1.7.0-rc3"
},
{
"introduced": "1.7.0-rc4"
},
{
"last_affected": "1.7.0-rc4"
},
{
"introduced": "1.7.0-rc5"
},
{
"last_affected": "1.7.0-rc5"
},
{
"introduced": "1.7.0-rc6"
},
{
"last_affected": "1.7.0-rc6"
},
{
"introduced": "1.7.0-rc7"
},
{
"last_affected": "1.7.0-rc7"
},
{
"introduced": "1.7.0-rc8"
},
{
"last_affected": "1.7.0-rc8"
},
{
"introduced": "1.7.0-rc9"
},
{
"last_affected": "1.7.0-rc9"
}
]
}
]
}