Описание
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint /admin/pages/[page] in Multiples parameters
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.
Details
Vulnerable Endpoint: POST /admin/pages/[page]
Parameters:
-
data[header][metadata] -
data[header][taxonomy][category] -
data[header][taxonomy][tag]
The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page's YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.
PoC
Payload:
<script>alert('PoC-XXS51')</script>
Steps to Reproduce:
-
Log into the Grav Admin Panel and navigate to Pages.
-
Create or edit a page.
-
Inject the payload above into any of the following fields in the Options tab:
-
Metadata key name
-
Category under Taxonomy
-
Tag under Taxonomy
-
- Save the page.
When the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the Stored XSS vulnerability.
Impact
Stored XSS vulnerabilities can result in serious consequences, including:
-
Session hijacking: Attackers can steal authentication cookies or tokens
-
Malware delivery: Injected scripts can download malicious software
-
Credential theft: Fake input fields can capture usernames and passwords
-
Sensitive data exposure: Access to internal metadata and browser data
-
Administrative access compromise: Especially dangerous in admin-facing interfaces
-
Phishing attacks: Users can be redirected to external malicious sites
-
Reputation damage: Executing arbitrary scripts in trusted systems undermines credibility
by CVE-Hunters
Пакеты
getgrav/grav
< 1.11.0-beta.1
1.11.0-beta.1
Связанные уязвимости
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. This vulnerability is fixed in 1.11.0-beta.1.