Cross-site Scripting (XSS) - Stored in getgrav/grav-plugin-admin
Reported on
Oct 28th 2021
Description
In Grav, you can preview the file you uploaded by hovering your mouse to the file and clicking the info icon.
The normal preview should be like this:
However, I noticed that it is possible to perform XSS on the filename due to the following HTML Code:
<div class="meta-preview">
<img src="/user/pages/02.typography/xss.svg?cropZoom=400,300">
</div>
We can upload a file with a filename of "><img src=x onerror=alert(1)> and it will escape the quote for the src parameter and execute our XSS payload.
Rendered HTML Code:
<div class="meta-preview">
<img src="/user/pages/02.typography/">
<img src="x" onerror="alert(1)">
.svg?cropZoom=400,300" />;
</div>
Aside from that, I also found that the meta-content is also vulnerable when returning the error message.
<div class="meta-content">
<ul>
<li>
<strong></strong>
" ">"
<img src="x" onerror="alert(1)">
.svg.meta.yaml doesn't exist
</li>
</ul>
</div>
Proof of Concept
- Upload a file with
"><img src=x onerror=alert(1)>as filename - Click the Metadata or info icon of the uploaded file
Impact
A malicious user could execute JS code and target other users of the website by retrieving their details such as Admin-Nonce, IP address, User Agent, Current Page Content, etc.
I also noticed that when I deleted the file. The notification alert will also execute JS Code.
Updates:
- Added data that can be retrieved by attacker
- Added a screenshot showing the data being retrieved when the victim opened the metadata of the file
- Fix CVSS
Can you please update repository to point to https://github.com/getgrav/grav-plugin-admin ?
Hi! I'm sorry I don't have a privilege to edit the target repository. Maybe the @admin can.
As this is not a Grav issue but an Admin issue, we find ourselves unable to mark this as valid even though it technically is and already working on a fix.
If someone can point it to https://github.com/getgrav/grav-plugin-admin that would be appreciated
