Cross-site Scripting (XSS) - Stored in getgrav/grav

Valid

Reported on

Oct 20th 2021


Description

Grav is vulnerable to XSS. It is possible to use &colon; instead of : in <a> tags.

Proof of Concept

Payload:

<a href="javascript&colon;alert(document.domain)">CLICK HERE</a>

1: Edit a page with the payload (user with low privileges).

2: Check out the target page and click on CLICK HERE.

PoC video.

Impact

This vulnerability is capable of executing JS code.

We have contacted a member of the getgrav/grav team and are waiting to hear back a month ago
We have contacted a member of the getgrav/grav team and are waiting to hear back a month ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. a month ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. a month ago
getgrav/grav maintainer validated this vulnerability a month ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
getgrav/grav maintainer confirmed that a fix has been merged on afc69a a month ago
The fix bounty has been dropped
Security.php#L82-L125 has been validated
Jamie Slome
a month ago

Admin


CVE published! 🎉