ghsa-rmw5-f87r-w988
Vulnerability from github
Published
2025-12-02 00:37
Modified
2025-12-02 00:37
Severity ?
6.2 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H
Summary
Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.

Details

Vulnerable Endpoint: POST /admin/accounts/groups/Grupo
Parameter: data[readableName]

The application fails to properly validate and sanitize user input in the data[readableName] parameter. This lack of input handling allows attackers to inject arbitrary script content that is stored in the application and executed in the browser of any user who views the affected group configuration.

PoC

Payload:

<ScRipT>alert('PoC-XSS')</ScRipT>

  1. Navigate to Accounts > Groups in the administrative panel.

  2. Create a new group or edit an existing one.

  3. In the Display Name field (data[readableName]), insert the payload above and save the changes.

image

The following HTTP request was generated during this action: image

  1. Next, go to Accounts > Users and open any user profile.

image

  1. The malicious script is executed immediately in the browser when the page loads, confirming the existence of a Stored XSS vulnerability.

image

Impact

Stored XSS vulnerabilities can result in serious consequences, including:

  • Session hijacking: Attackers can steal authentication cookies or tokens

  • Malware delivery: Inserting scripts that download malicious content

  • Credential theft: Capturing usernames and passwords through injected forms

  • Sensitive data exposure: Accessing data stored in the browser or the application

  • Browser takeover: Executing arbitrary commands in the user’s session

  • Phishing attacks: Redirecting users to fake login or malicious sites

  • Website defacement: Altering page content shown to users

  • Reputational damage: Undermining trust in the platform or organization

by CVE-Hunters

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:37:38Z",
    "nvd_published_at": "2025-12-01T22:15:51Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/accounts/groups/Grupo` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[readableName]` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `POST /admin/accounts/groups/Grupo`  \n**Parameter:** `data[readableName]`\n\nThe application fails to properly validate and sanitize user input in the `data[readableName]` parameter. This lack of input handling allows attackers to inject arbitrary script content that is stored in the application and executed in the browser of any user who views the affected group configuration.\n\n---\n\n## PoC\n\n**Payload:**\n\n`\u003cScRipT\u003ealert(\u0027PoC-XSS\u0027)\u003c/ScRipT\u003e`\n\n1. Navigate to **Accounts \u003e Groups** in the administrative panel.\n    \n2. Create a new group or edit an existing one.\n    \n3. In the **Display Name** field (`data[readableName]`), insert the payload above and save the changes.\n\n![image](https://github.com/user-attachments/assets/e6db531e-9968-4fc5-8329-12183975096c)\n\n\nThe following HTTP request was generated during this action:\n![image](https://github.com/user-attachments/assets/37e9a2c6-f7be-45b4-8aaf-13e64940561f)\n\n\n4. Next, go to **Accounts \u003e Users** and open any user profile.\n\n![image](https://github.com/user-attachments/assets/a09215ab-17a2-4b17-9b58-cf3737d95ba2)\n\n\n5. The malicious script is executed immediately in the browser when the page loads, confirming the existence of a **Stored XSS** vulnerability.\n\n![image](https://github.com/user-attachments/assets/8411ca04-4d84-4f88-9c6a-7dd88e65a6e0)\n\n\n---\n\n## Impact\n\nStored XSS vulnerabilities can result in serious consequences, including:\n\n- **Session hijacking:** Attackers can steal authentication cookies or tokens\n    \n- **Malware delivery:** Inserting scripts that download malicious content\n    \n- **Credential theft:** Capturing usernames and passwords through injected forms\n    \n- **Sensitive data exposure:** Accessing data stored in the browser or the application\n    \n- **Browser takeover:** Executing arbitrary commands in the user\u2019s session\n    \n- **Phishing attacks:** Redirecting users to fake login or malicious sites\n    \n- **Website defacement:** Altering page content shown to users\n    \n- **Reputational damage:** Undermining trust in the platform or organization\n\nby\u00a0[CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)",
  "id": "GHSA-rmw5-f87r-w988",
  "modified": "2025-12-02T00:37:38Z",
  "published": "2025-12-02T00:37:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66312"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.