CVE-2021-3818 — Reliance on Cookies without Validation and Integrity Checking in getgrav/grav

Description

grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking. A cookie with an overly broad path can be accessed through other applications on the same domain. Since cookies often carry sensitive information such as session identifiers, sharing cookies across applications can lead a vulnerability in one application to cause a compromise in another.

How to fix CVE-2021-3818

To remediate CVE-2021-3818, upgrade the affected package to a fixed version below.

—upgrade to 1.7.21 or later

Is CVE-2021-3818 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.7.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (3)

PATCHgithub.com/getgrav/grav
WEBgithub.com/getgrav/grav/commit/c51fb1779b83f620c0b6f3548d4a96322b55df07
WEBhuntr.dev/bounties/c2bc65af-7b93-4020-886e-8cdaeb0a58ea