ghsa-gq3g-666w-7h85
Vulnerability from github
Exposure of Password Hashes Leading to privilege escalation
Severity Rating: Medium
Vector: Privilege Escalation
CVE: XXX
CWE: 200 - Exposure of Sensitive Information
CVSS Score: 6.2
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Analysis
It was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.
An attacker with read access can: * View and potentially crack the password hashes. * Gain administrative access by cracking the admin password hash. * Escalate privileges and compromise the entire admin panel.
Proof of Concept
1) Give read access to user accounts to a random user as shown in the following figures:
2) Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.
3) Go to the admin profile http://127.0.0.1/admin/accounts/users/admin; The password is not display. Try inspecting the page source code as shown in the following figures:
You can see that it match the hash that is in the admin.yaml file :
4) Crack the hash as shown in the following figure, the algorithm use here is bcrypt:
Workarounds
No workaround is currently known
Timeline
2024-07-24 Issue identified
2024-09-27 Vendor contacted
About X41 D-Sec GmbH
X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0-beta.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66304"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-201"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T00:37:07Z",
"nvd_published_at": "2025-12-01T22:15:50Z",
"severity": "MODERATE"
},
"details": "# Exposure of Password Hashes Leading to privilege escalation\n**Severity Rating:** Medium \n\n**Vector:** Privilege Escalation\n\n**CVE:** XXX\n\n**CWE:** 200 - Exposure of Sensitive Information\n\n**CVSS Score:** 6.2\n\n**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L\n\n## Analysis\n\nIt was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.\n\nAn attacker with read access can: \n* View and potentially crack the password hashes.\n* Gain administrative access by cracking the admin password hash.\n* Escalate privileges and compromise the entire admin panel.\n\n\n## Proof of Concept\n\n1) Give read access to user accounts to a random user as shown in the following figures:\n \n \n \n\n2) Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.\n\n3) Go to the admin profile `http://127.0.0.1/admin/accounts/users/admin`; The password is not display. Try inspecting the page source code as shown in the following figures:\n \n \n You can see that it match the hash that is in the admin.yaml file :\n \n \n\n4) Crack the hash as shown in the following figure, the algorithm use here is bcrypt:\n \n\n \n\n## Workarounds\nNo workaround is currently known\n\n# Timeline\n**2024-07-24** Issue identified\n\n**2024-09-27** Vendor contacted\n\n\n# About X41 D-Sec GmbH\nX41 is an expert provider for application security services.\nHaving extensive industry experience and expertise in the area of information\nsecurity, a strong core security team of world class security experts enables\nX41 to perform premium security services.\n\nFields of expertise in the area of application security are security centered\ncode reviews, binary reverse engineering and vulnerability discovery.\nCustom research and IT security consulting and support services are core\ncompetencies of X41.",
"id": "GHSA-gq3g-666w-7h85",
"modified": "2025-12-02T00:37:07Z",
"published": "2025-12-02T00:37:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66304"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Grav Exposes Password Hashes Leading to privilege escalation"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.