Cross-site Scripting (XSS) - Stored in getgrav/grav

Valid

Reported on

Oct 20th 2021


Description

Grav is vulnerable to XSS. It is possible to use &colon; instead of : in <a> tags.

Proof of Concept

Payload:

<a href="javascript&colon;alert(document.domain)">CLICK HERE</a>

1: Edit a page with the payload (user with low privileges).

2: Check out the target page and click on CLICK HERE.

PoC video.

Impact

This vulnerability is capable of executing JS code.

We have contacted a member of the getgrav/grav team and are waiting to hear back 2 years ago
We have sent a follow up to the getgrav/grav team. We will try again in 4 days. 2 years ago
getgrav/grav maintainer validated this vulnerability 2 years ago
effectrenan has been awarded the disclosure bounty
The fix bounty is now up for grabs
getgrav/grav maintainer marked this as fixed with commit afc69a 2 years ago
The fix bounty has been dropped
Security.php#L82-L125 has been validated
Jamie Slome
2 years ago

CVE published! 🎉

to join this conversation