stored xss in getgrav/grav

Valid

Reported on

Mar 26th 2022


Description

Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage

Proof of Concept

1. A low-priv user create a page with the following payload:

a'"></title></script><img src=x onerror=confirm(document.domain)></p>

2. Victim visit the page and see xss is executed

XSS alert will show the domain name.

Impact

Attacker can execute arbitrary javascript code in the victim's browser

We are processing your report and will contact the getgrav/grav team within 24 hours. 2 months ago
We have contacted a member of the getgrav/grav team and are waiting to hear back 2 months ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 2 months ago
getgrav/grav maintainer modified the report
2 months ago
getgrav/grav maintainer
2 months ago

Maintainer


I consider admin privileges to be high -- you do need an admin account to perform this attack.

I was able to reproduce the issue.

getgrav/grav maintainer validated this vulnerability 2 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matias Griese
2 months ago

Maintainer


Should be fixed now, waiting for a release.

We have sent a fix follow up to the getgrav/grav team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the getgrav/grav team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the getgrav/grav team. This report is now considered stale. a month ago
Matias Griese confirmed that a fix has been merged on 1c0ed4 a month ago
Matias Griese has been awarded the fix bounty
Security.php#L32-L78 has been validated
Security.php#L83-L143 has been validated
Security.php#L150-L265 has been validated
to join this conversation