Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters

Description

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.


Details

Vulnerable Endpoint: POST /admin/pages/[page]
Parameters:

  • data[header][metadata]

  • data[header][taxonomy][category]

  • data[header][taxonomy][tag]

The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page's YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.


PoC

Payload:

<script>alert('PoC-XXS51')</script>

Steps to Reproduce:

  1. Log into the Grav Admin Panel and navigate to Pages.

  2. Create or edit a page.

  3. Inject the payload above into any of the following fields in the Options tab:

    • Metadata key name

    • Category under Taxonomy

    • Tag under Taxonomy
      image

image

  1. Save the page.
    image

When the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the Stored XSS vulnerability.


Impact

Stored XSS vulnerabilities can result in serious consequences, including:

  • Session hijacking: Attackers can steal authentication cookies or tokens

  • Malware delivery: Injected scripts can download malicious software

  • Credential theft: Fake input fields can capture usernames and passwords

  • Sensitive data exposure: Access to internal metadata and browser data

  • Administrative access compromise: Especially dangerous in admin-facing interfaces

  • Phishing attacks: Users can be redirected to external malicious sites

  • Reputation damage: Executing arbitrary scripts in trusted systems undermines credibility

by CVE-Hunters

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-12-02 00:37:14 UTC
Updated
2025-12-02 00:37:15 UTC
GitHub reviewed
2025-12-02 00:37:14 UTC
NVD published
2025-12-01

EPSS Score

Score Percentile
0.05% 15.49%

CVSS Scores

Base score Version Severity Vector
6.2 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:A)
User interaction is required in an active way.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:H)
High integrity impact on subsequent systems.
Subsequent system availability impact (SA:H)
High availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • marcelomulder (reporter)
  • nmmorette (coordinator)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer getgrav/grav < 1.11.0-beta.1 1.11.0-beta.1

References

cvelogic Threat Intelligence