CVE-2023-34452

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-34452

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34452.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-34452

Aliases

GHSA-xcr8-cc2j-62fc

Published

2023-06-14T22:28:34.824Z

Modified

2026-04-10T04:58:30.998854Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Grav vulnerable to Self Cross Site Scripting in /forgot_password

Details

Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can potentially allow an attacker to execute arbitrary code on the user's browser, the impact is limited as it requires user interaction to trigger the vulnerability. As of time of publication, a patch is not available. Server-side validation should be implemented to prevent this vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34452.json"
}

References

Affected packages

Git / github.com/getgrav/grav

Affected ranges

Type

GIT

Repo

https://github.com/getgrav/grav

Events

Introduced

Last affected

dc209453d0817547db0d3a8b27110decb63f2b5d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.42"
        }
    ]
}

Affected versions

0.*

0.8.0

0.9.0

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

0.9.16

0.9.17

0.9.18

0.9.19

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

1.*

1.1.0-beta.1

1.1.0-beta.2

1.1.0-beta.3

1.1.0-beta.4

1.1.0-beta.5

1.1.0-rc.1

1.1.0-rc.2

1.1.0-rc.3

1.1.9-rc.1

1.1.9-rc.2

1.1.9-rc.3

1.2.0-rc.1

1.2.0-rc.2

1.2.0-rc.3

1.3.0-rc.1

1.3.0-rc.3

1.3.0-rc.4

1.3.0-rc.5

1.5.0-beta.1

1.5.0-beta.2

1.5.0-rc.1

1.6.0-beta.1

1.6.0-beta.2

1.6.0-beta.5

1.6.0-beta.6

1.6.0-beta.7

1.6.0-beta.8

1.6.0-rc.1

1.6.0-rc.2

1.6.0-rc.3

1.6.0-rc.4

1.7.0

1.7.0-beta.1

1.7.0-beta.10

1.7.0-beta.2

1.7.0-beta.3

1.7.0-beta.4

1.7.0-beta.5

1.7.0-beta.6

1.7.0-beta.7

1.7.0-beta.8

1.7.0-beta.9

1.7.0-rc.1

1.7.0-rc.10

1.7.0-rc.12

1.7.0-rc.13

1.7.0-rc.14

1.7.0-rc.15

1.7.0-rc.17

1.7.0-rc.18

1.7.0-rc.19

1.7.0-rc.2

1.7.0-rc.20

1.7.0-rc.3

1.7.0-rc.4

1.7.0-rc.5

1.7.0-rc.6

1.7.0-rc.7

1.7.0-rc.8

1.7.0-rc.9

1.7.1

1.7.10

1.7.12

1.7.13

1.7.14

1.7.15

1.7.16

1.7.17

1.7.18

1.7.19

1.7.20

1.7.21

1.7.22

1.7.23

1.7.24

1.7.25

1.7.26

1.7.26.1

1.7.27

1.7.27.1

1.7.28

1.7.29

1.7.29.1

1.7.3

1.7.30

1.7.31

1.7.32

1.7.33

1.7.34

1.7.35

1.7.36

1.7.37

1.7.37.1

1.7.38

1.7.39

1.7.39.1

1.7.39.2

1.7.39.3

1.7.39.4

1.7.4

1.7.40

1.7.41

1.7.41.1

1.7.41.2

1.7.42

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34452.json"