Vulnerability Database

300,445

Total vulnerabilities in the database

Cross-Site Scripting in Grav

Impact

Privileged users (with the ability to edit pages) have a mechanism to perform remote code execution via XSS. At a minimum, the vulnerability represents a bypass of security controls put in place to mitigate this form of attack.

The remote code execution can be performed because XSS would allow an attacker to execute functionality on behalf of a stolen administrative account - the facility to install custom plugins would then allow said attacker to install a plugin containing a web shell and thus garner access to the underlying system.

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS) https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/79.html

For more information

Please contact contact@pentest.co.uk

Published: Dec 10, 2020
Updated: Apr 14, 2023
GHSA: GHSA-cvmr-6428-87w9
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
getgrav / grav	-	1.6.30

https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo