ghsa-mpjj-4688-3fxg
Vulnerability from github
Published
2025-12-02 00:37
Modified
2025-12-02 00:37
Severity ?
6.2 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H
Summary
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.

Details

Vulnerable Endpoint: POST /admin/pages/[page]
Parameters:

  • data[header][metadata]

  • data[header][taxonomy][category]

  • data[header][taxonomy][tag]

The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page's YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.

PoC

Payload:

<script>alert('PoC-XXS51')</script>

Steps to Reproduce:

  1. Log into the Grav Admin Panel and navigate to Pages.

  2. Create or edit a page.

  3. Inject the payload above into any of the following fields in the Options tab:

    • Metadata key name

    • Category under Taxonomy

    • Tag under Taxonomy image

image

  1. Save the page. image

When the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the Stored XSS vulnerability.

Impact

Stored XSS vulnerabilities can result in serious consequences, including:

  • Session hijacking: Attackers can steal authentication cookies or tokens

  • Malware delivery: Injected scripts can download malicious software

  • Credential theft: Fake input fields can capture usernames and passwords

  • Sensitive data exposure: Access to internal metadata and browser data

  • Administrative access compromise: Especially dangerous in admin-facing interfaces

  • Phishing attacks: Users can be redirected to external malicious sites

  • Reputation damage: Executing arbitrary scripts in trusted systems undermines credibility

by CVE-Hunters

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:37:14Z",
    "nvd_published_at": "2025-12-01T22:15:51Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][metadata]`, `data[header][taxonomy][category]`, and `data[header][taxonomy][tag]` parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `POST /admin/pages/[page]`  \n**Parameters:**\n\n- `data[header][metadata]`\n    \n- `data[header][taxonomy][category]`\n    \n- `data[header][taxonomy][tag]`\n    \n\nThe application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page\u0027s YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.\n\n---\n\n## PoC\n\n**Payload:**\n\n`\u003cscript\u003ealert(\u0027PoC-XXS51\u0027)\u003c/script\u003e`\n\n### Steps to Reproduce:\n\n1. Log into the _Grav_ Admin Panel and navigate to **Pages**.\n    \n2. Create or edit a page.\n    \n3. Inject the payload above into any of the following fields in the Options tab:\n    \n    - **Metadata** key name\n        \n    - **Category** under Taxonomy\n        \n    - **Tag** under Taxonomy\n![image](https://github.com/user-attachments/assets/b66f3d4d-8f9d-40a9-83a8-5a365814c00b)\n\n![image](https://github.com/user-attachments/assets/a1164198-2e25-4746-acb5-71f4874aebbe)\n\n4. Save the page.\n![image](https://github.com/user-attachments/assets/6c9c0ba4-bce3-4a72-a10f-39b0b886a10c)\n\nWhen the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the **Stored XSS** vulnerability.\n\n---\n\n## Impact\n\nStored XSS vulnerabilities can result in serious consequences, including:\n\n- **Session hijacking:** Attackers can steal authentication cookies or tokens\n    \n- **Malware delivery:** Injected scripts can download malicious software\n    \n- **Credential theft:** Fake input fields can capture usernames and passwords\n    \n- **Sensitive data exposure:** Access to internal metadata and browser data\n    \n- **Administrative access compromise:** Especially dangerous in admin-facing interfaces\n    \n- **Phishing attacks:** Users can be redirected to external malicious sites\n    \n- **Reputation damage:** Executing arbitrary scripts in trusted systems undermines credibility\n\nby\u00a0[CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)",
  "id": "GHSA-mpjj-4688-3fxg",
  "modified": "2025-12-02T00:37:14Z",
  "published": "2025-12-02T00:37:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66311"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.