GHSA-gqxx-248x-g29f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gqxx-248x-g29f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-gqxx-248x-g29f/GHSA-gqxx-248x-g29f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gqxx-248x-g29f
- Aliases
- Published
- 2025-12-02T01:23:19Z
- Modified
- 2025-12-02T02:16:15.975431Z
- Severity
-
- 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
- Details
-
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the
/admin/config/siteendpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into thedata[taxonomies]parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.
Details
Vulnerable Endpoint:
POST /admin/config/site
Parameter:data[taxonomies]The application does not properly validate or sanitize input in the
data[taxonomies]field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser.
PoC
Payload:
"><script>alert('XSS-PoC')</script>Steps to Reproduce:
Log in to the Grav Admin Panel with sufficient permissions to modify site configuration.
Navigate to Configuration > Site.
In the Taxonomies Types field (which maps to
data[taxonomies]), insert the payload above:"><script>alert('XSS-PoC')</script>Save the configuration.
<img width="1897" height="628" alt="Pasted image 20250718195942" src="https://github.com/user-attachments/assets/2035fcaa-34fc-494c-a7ca-7c1e1f34b057" />
- Go on Pages and click on one of them
<img width="932" height="587" alt="Pasted image 20250718200306" src="https://github.com/user-attachments/assets/3c1995ba-2581-4e27-ae9d-a17e2eeb5b57" />
- The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.
<img width="1204" height="377" alt="Pasted image 20250718200353" src="https://github.com/user-attachments/assets/ad8ea7ea-603f-4b84-aa5a-120de0cb56ce" />
- The HTTP request submitted during this process contains the vulnerable parameter and payload:
<img width="757" height="675" alt="Pasted image 20250718200445" src="https://github.com/user-attachments/assets/fbbe2b76-00eb-4426-8ddd-5cde2cc65d77" />
Impact
Stored XSS attacks can lead to severe consequences, including:
Session hijacking: Stealing cookies or authentication tokens to impersonate users
Credential theft: Harvesting usernames and passwords using malicious scripts
Malware delivery: Distributing unwanted or harmful code to victims
Privilege escalation: Compromising administrative users through persistent scripts
Data manipulation or defacement: Changing or disrupting site content
Reputation damage: Eroding trust among site users and administrators
Discoverer
by CVE-Hunters
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2025-12-02T01:23:19Z", "nvd_published_at": "2025-12-01T22:15:50Z" }- References
Affected packages
Packagist / getgrav/grav
Package
- Name
- getgrav/grav
- Purl
- pkg:composer/getgrav/grav
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.8.0-beta.27