GHSA-p4ww-mcp9-j6f2

Source

https://github.com/advisories/GHSA-p4ww-mcp9-j6f2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-p4ww-mcp9-j6f2/GHSA-p4ww-mcp9-j6f2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p4ww-mcp9-j6f2

Aliases

CVE-2025-66300

Published

2025-12-02T00:36:43Z

Modified

2025-12-02T01:32:11.173306Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L CVSS Calculator

Summary

Grav is vulnerable to Arbitrary File Read

Details

Summary

A low privilege user account with page editing privilege can read any server files using "Frontmatter" form.
This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.
This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.

Details

The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig

PoC

This PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46

go to “http://grav.local/admin/pages” then create new page with “Page Template” option set to “Form”.

Then go to “Expert” and on Frontmatter input box used to following form template.

Save page and go the preview or published page you will see the content of “/etc/passwd” file on the server.

Impact

This can allow a low privileged user to perform a full account takeover of other registered users including Administrators. This can also allow an adversary to read any file on the web server. And Due to insufficient permission verification , user who can write a page also can use frontmatter feature using this IDOR vulnerability PoC IDOR mention in CVE-2024-2792

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": "2025-12-01T22:15:49Z",
    "github_reviewed_at": "2025-12-02T00:36:43Z",
    "severity": "HIGH"
}

References

Affected packages

Packagist / getgrav/grav

Package

Name: getgrav/grav
Purl: pkg:composer/getgrav/grav

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.0-beta.27

Affected versions

0.*

0.8.0

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

0.9.16

0.9.17

0.9.18

0.9.19

0.9.20

0.9.21

0.9.22

0.9.23

0.9.24

0.9.25

0.9.26

0.9.27

0.9.28

0.9.29

0.9.30

0.9.31

0.9.32

0.9.33

0.9.34

0.9.35

0.9.36

0.9.37

0.9.38

0.9.39

0.9.40

0.9.41

0.9.42

0.9.43

0.9.44

0.9.45

1.*

1.0.0-rc.1

1.0.0-rc.2

1.0.0-rc.3

1.0.0-rc.4

1.0.0-rc.5

1.0.0-rc.6

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.1.0-beta.1

1.1.0-beta.2

1.1.0-beta.3

1.1.0-beta.4

1.1.0-beta.5

1.1.0-rc.1

1.1.0-rc.2

1.1.0-rc.3

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9-rc.1

1.1.9-rc.2

1.1.9-rc.3

1.1.9

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.1.15

1.1.16

1.1.17

1.2.0-rc.1

1.2.0-rc.2

1.2.0-rc.3

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0-rc.1

1.3.0-rc.2

1.3.0-rc.3

1.3.0-rc.4

1.3.0-rc.5

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.4.0-beta.1

1.4.0-beta.2

1.4.0-beta.3

1.4.0-rc.1

1.4.0-rc.2

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.5.0-beta.1

1.5.0-beta.2

1.5.0-rc.1

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.6.0-beta.1

1.6.0-beta.2

1.6.0-beta.3

1.6.0-beta.4

1.6.0-beta.5

1.6.0-beta.6

1.6.0-beta.7

1.6.0-beta.8

1.6.0-rc.1

1.6.0-rc.2

1.6.0-rc.3

1.6.0-rc.4

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

1.6.17

1.6.18

1.6.19

1.6.20

1.6.21

1.6.22

1.6.23

1.6.24

1.6.25

1.6.26

1.6.27

1.6.28

1.6.29

1.6.30

1.6.31

1.7.0-beta.1

1.7.0-beta.2

1.7.0-beta.3

1.7.0-beta.4

1.7.0-beta.5

1.7.0-beta.6

1.7.0-beta.7

1.7.0-beta.8

1.7.0-beta.9

1.7.0-beta.10

1.7.0-rc.1

1.7.0-rc.2

1.7.0-rc.3

1.7.0-rc.4

1.7.0-rc.5

1.7.0-rc.6

1.7.0-rc.7

1.7.0-rc.8

1.7.0-rc.9

1.7.0-rc.10

1.7.0-rc.11

1.7.0-rc.12

1.7.0-rc.13

1.7.0-rc.14

1.7.0-rc.15

1.7.0-rc.16

1.7.0-rc.17

1.7.0-rc.18

1.7.0-rc.19

1.7.0-rc.20

1.7.0

1.7.1

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.7.10

1.7.12

1.7.13

1.7.14

1.7.15

1.7.16

1.7.17

1.7.18

1.7.19

1.7.20

1.7.21

1.7.22

1.7.23

1.7.24

1.7.25

1.7.26

1.7.26.1

1.7.27

1.7.27.1

1.7.28

1.7.29

1.7.29.1

1.7.30

1.7.31

1.7.32

1.7.33

1.7.34

1.7.35

1.7.36

1.7.37

1.7.37.1

1.7.38

1.7.39

1.7.39.1

1.7.39.2

1.7.39.3

1.7.39.4

1.7.40

1.7.41

1.7.41.1

1.7.41.2

1.7.42

1.7.42.1

1.7.42.2

1.7.42.3

1.7.43

1.7.44

1.7.45

1.7.46

1.7.47

1.7.48

1.7.49

1.7.49.1

1.7.49.2

1.7.49.3

1.7.49.4

1.7.49.5

1.8.0-beta.1

1.8.0-beta.2

1.8.0-beta.3

1.8.0-beta.4

1.8.0-beta.5

1.8.0-beta.6

1.8.0-beta.7

1.8.0-beta.8

1.8.0-beta.9

1.8.0-beta.10

1.8.0-beta.11

1.8.0-beta.12

1.8.0-beta.13

1.8.0-beta.14

1.8.0-beta.15

1.8.0-beta.16

1.8.0-beta.17

1.8.0-beta.18

1.8.0-beta.19

1.8.0-beta.20

1.8.0-beta.21

1.8.0-beta.22

1.8.0-beta.23

1.8.0-beta.24

1.8.0-beta.25

1.8.0-beta.26

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-p4ww-mcp9-j6f2/GHSA-p4ww-mcp9-j6f2.json"