GHSA-GQXX-248X-G29F

Vulnerability from github – Published: 2025-12-02 01:23 – Updated: 2025-12-02 01:23
VLAI?
Summary
Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.

Details

Vulnerable Endpoint: POST /admin/config/site
Parameter: data[taxonomies]

The application does not properly validate or sanitize input in the data[taxonomies] field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser.

PoC

Payload:

"><script>alert('XSS-PoC')</script>

Steps to Reproduce:

  1. Log in to the Grav Admin Panel with sufficient permissions to modify site configuration.

  2. Navigate to Configuration > Site.

  3. In the Taxonomies Types field (which maps to data[taxonomies]), insert the payload above:

    "><script>alert('XSS-PoC')</script>

  4. Save the configuration.

Pasted image 20250718195942

  1. Go on Pages and click on one of them

Pasted image 20250718200306

  1. The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.

Pasted image 20250718200353

  1. The HTTP request submitted during this process contains the vulnerable parameter and payload:

Pasted image 20250718200445

Impact

Stored XSS attacks can lead to severe consequences, including:

  • Session hijacking: Stealing cookies or authentication tokens to impersonate users

  • Credential theft: Harvesting usernames and passwords using malicious scripts

  • Malware delivery: Distributing unwanted or harmful code to victims

  • Privilege escalation: Compromising administrative users through persistent scripts

  • Data manipulation or defacement: Changing or disrupting site content

  • Reputation damage: Eroding trust among site users and administrators

Discoverer

Marcelo Queiroz

by CVE-Hunters

Severity ?
6.8 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T01:23:19Z",
    "nvd_published_at": "2025-12-01T22:15:50Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/config/site` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[taxonomies]` parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `POST /admin/config/site`  \n**Parameter:** `data[taxonomies]`\n\nThe application does not properly validate or sanitize input in the `data[taxonomies]` field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user\u0027s browser.\n\n---\n\n## PoC\n\n**Payload:**\n\n`\"\u003e\u003cscript\u003ealert(\u0027XSS-PoC\u0027)\u003c/script\u003e`\n\n### Steps to Reproduce:\n\n1. Log in to the _Grav_ Admin Panel with sufficient permissions to modify site configuration.\n    \n2. Navigate to **Configuration \u003e Site**.\n    \n3. In the **Taxonomies Types** field (which maps to `data[taxonomies]`), insert the payload above:\n          \n    `\"\u003e\u003cscript\u003ealert(\u0027XSS-PoC\u0027)\u003c/script\u003e`\n    \n4. Save the configuration.\n\n\u003cimg width=\"1897\" height=\"628\" alt=\"Pasted image 20250718195942\" src=\"https://github.com/user-attachments/assets/2035fcaa-34fc-494c-a7ca-7c1e1f34b057\" /\u003e\n    \n5. Go on Pages and click on one of them\n\n\u003cimg width=\"932\" height=\"587\" alt=\"Pasted image 20250718200306\" src=\"https://github.com/user-attachments/assets/3c1995ba-2581-4e27-ae9d-a17e2eeb5b57\" /\u003e\n    \n6. The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.\n\n\u003cimg width=\"1204\" height=\"377\" alt=\"Pasted image 20250718200353\" src=\"https://github.com/user-attachments/assets/ad8ea7ea-603f-4b84-aa5a-120de0cb56ce\" /\u003e\n    \n7. The HTTP request submitted during this process contains the vulnerable parameter and payload:\n    \n\u003cimg width=\"757\" height=\"675\" alt=\"Pasted image 20250718200445\" src=\"https://github.com/user-attachments/assets/fbbe2b76-00eb-4426-8ddd-5cde2cc65d77\" /\u003e\n\n---\n\n## Impact\n\nStored XSS attacks can lead to severe consequences, including:\n\n- **Session hijacking:** Stealing cookies or authentication tokens to impersonate users\n    \n- **Credential theft:** Harvesting usernames and passwords using malicious scripts\n    \n- **Malware delivery:** Distributing unwanted or harmful code to victims\n    \n- **Privilege escalation:** Compromising administrative users through persistent scripts\n    \n- **Data manipulation or defacement:** Changing or disrupting site content\n    \n- **Reputation damage:** Eroding trust among site users and administrators\n    \n\n---\n\n## Discoverer\n\n[Marcelo Queiroz](www.linkedin.com/in/marceloqueirozjr) \n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)",
  "id": "GHSA-gqxx-248x-g29f",
  "modified": "2025-12-02T01:23:19Z",
  "published": "2025-12-02T01:23:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66308"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.