ghsa-65mj-f7p4-wggq
Vulnerability from github
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter.
Details
Vulnerable Endpoint: GET /admin/pages/[page]
Parameter: data[header][content][items]
The application fails to properly validate and sanitize user input in the data[header][content][items] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.
PoC
Payload:
"><ImG sRc=x OnErRoR=alert('XSS-PoC3')>
-
Log in to the Grav Admin Panel and navigate to Pages.
-
Create a new page or edit an existing one.
-
In the Advanced > Blog Config > Items field (which maps to
data[header][content][items]), insert the payload above.
-
Save the page.
-
The malicious payload is reflected and rendered by the application without proper sanitization. The JavaScript code is immediately executed in the browser.
Impact
Reflected cross-site scripting (XSS) attacks can have serious consequences, including:
-
User actions: Attackers can perform actions on behalf of the user
-
Data theft: Sensitive information such as session cookies can be stolen
-
Account compromise: Attackers may impersonate legitimate users
-
Malicious code execution: Arbitrary JavaScript code can run in the user’s browser
-
Website defacement or misinformation: Malicious output may be injected visually
-
User redirection: Victims may be redirected to phishing or malicious websites
by CVE-Hunters
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0-beta.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66309"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T01:24:45Z",
"nvd_published_at": "2025-12-01T22:15:50Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][content][items]` parameter.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `GET /admin/pages/[page]` \n**Parameter:** `data[header][content][items]`\n\nThe application fails to properly validate and sanitize user input in the `data[header][content][items]` parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim\u0027s browser session.\n\n---\n\n## PoC\n\n**Payload:**\n\n`\"\u003e\u003cImG sRc=x OnErRoR=alert(\u0027XSS-PoC3\u0027)\u003e`\n\n1. Log in to the _Grav_ Admin Panel and navigate to **Pages**.\n \n2. Create a new page or edit an existing one.\n \n3. In the **Advanced \u003e Blog Config \u003e Items** field (which maps to `data[header][content][items]`), insert the payload above.\n\n\n\n4. Save the page.\n \n5. The malicious payload is reflected and rendered by the application without proper sanitization. The JavaScript code is immediately executed in the browser.\n\n\n\n---\n\n## Impact\n\nReflected cross-site scripting (XSS) attacks can have serious consequences, including:\n\n- **User actions:** Attackers can perform actions on behalf of the user\n \n- **Data theft:** Sensitive information such as session cookies can be stolen\n \n- **Account compromise:** Attackers may impersonate legitimate users\n \n- **Malicious code execution:** Arbitrary JavaScript code can run in the user\u2019s browser\n \n- **Website defacement or misinformation:** Malicious output may be injected visually\n \n- **User redirection:** Victims may be redirected to phishing or malicious websites\n\nby\u00a0[CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)",
"id": "GHSA-65mj-f7p4-wggq",
"modified": "2025-12-02T01:24:45Z",
"published": "2025-12-02T01:24:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66309"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the \"Blog Config\" tab"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.