GHSA-GQ3G-666W-7H85

Vulnerability from github – Published: 2025-12-02 00:37 – Updated: 2025-12-02 00:37
VLAI?
Summary
Grav Exposes Password Hashes Leading to privilege escalation
Details

Exposure of Password Hashes Leading to privilege escalation

Severity Rating: Medium

Vector: Privilege Escalation

CVE: XXX

CWE: 200 - Exposure of Sensitive Information

CVSS Score: 6.2

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Analysis

It was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.

An attacker with read access can: * View and potentially crack the password hashes. * Gain administrative access by cracking the admin password hash. * Escalate privileges and compromise the entire admin panel.

Proof of Concept

1) Give read access to user accounts to a random user as shown in the following figures: grav0 grav2

2) Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.

3) Go to the admin profile http://127.0.0.1/admin/accounts/users/admin; The password is not display. Try inspecting the page source code as shown in the following figures: grav2-1

You can see that it match the hash that is in the admin.yaml file : Compare to the hash in database of the admin

4) Crack the hash as shown in the following figure, the algorithm use here is bcrypt:

grav3

Workarounds

No workaround is currently known

Timeline

2024-07-24 Issue identified

2024-09-27 Vendor contacted

About X41 D-Sec GmbH

X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.

Severity ?
6.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:37:07Z",
    "nvd_published_at": "2025-12-01T22:15:50Z",
    "severity": "MODERATE"
  },
  "details": "# Exposure of Password Hashes Leading to privilege escalation\n**Severity Rating:** Medium \n\n**Vector:** Privilege Escalation\n\n**CVE:** XXX\n\n**CWE:** 200 - Exposure of Sensitive Information\n\n**CVSS Score:** 6.2\n\n**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L\n\n## Analysis\n\nIt was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.\n\nAn attacker with read access can: \n* View and potentially crack the password hashes.\n* Gain administrative access by cracking the admin password hash.\n* Escalate privileges and compromise the entire admin panel.\n\n\n## Proof of Concept\n\n1) Give read access to user accounts to a random user as shown in the following figures:\n  ![grav0](https://github.com/user-attachments/assets/020a4b47-e577-49cb-8392-bfb61491199d)\n  ![grav2](https://github.com/user-attachments/assets/97fbfc46-c541-4559-9541-2b9b5de86c0e)\n  \n\n2) Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.\n\n3) Go to the admin profile `http://127.0.0.1/admin/accounts/users/admin`; The password is not display. Try inspecting the page source code as shown in the following figures:\n  ![grav2-1](https://github.com/user-attachments/assets/057c9c14-f928-4584-99ae-4939f63dda57)\n  \n   You can see that it match the hash that is in the admin.yaml file :\n  ![Compare to the hash in database of the admin](grav2-2.png)\n  \n\n4) Crack the hash as shown in the following figure, the algorithm use here is bcrypt:\n  \n![grav3](https://github.com/user-attachments/assets/ec334f80-4b87-4010-a834-cb92704a596e)\n  \n\n## Workarounds\nNo workaround is currently known\n\n# Timeline\n**2024-07-24** Issue identified\n\n**2024-09-27** Vendor contacted\n\n\n# About X41 D-Sec GmbH\nX41 is an expert provider for application security services.\nHaving extensive industry experience and expertise in the area of information\nsecurity, a strong core security team of world class security experts enables\nX41 to perform premium security services.\n\nFields of expertise in the area of application security are security centered\ncode reviews, binary reverse engineering and vulnerability discovery.\nCustom research and IT security consulting and support services are core\ncompetencies of X41.",
  "id": "GHSA-gq3g-666w-7h85",
  "modified": "2025-12-02T00:37:07Z",
  "published": "2025-12-02T00:37:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66304"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav Exposes Password Hashes Leading to privilege escalation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.