CVE-2025-66309

Опубликовано: 01 дек. 2025

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter. This vulnerability is fixed in 1.11.0-beta.1.

Ссылки

https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0
Patch
https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq
Exploit
Vendor Advisory
https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:getgrav:grav-plugin-admin:*:*:*:*:*:*:*:*

Версия до 1.10.50 (включая)

EPSS

Процентиль: 12%

0.00042

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-65mj-f7p4-wggq

github

2 месяца назад

Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab