GHSA-P4WW-MCP9-J6F2

Vulnerability from github – Published: 2025-12-02 00:36 – Updated: 2025-12-02 00:36
VLAI?
Summary
Grav is vulnerable to Arbitrary File Read
Details

Summary

  • A low privilege user account with page editing privilege can read any server files using "Frontmatter" form.
  • This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.
  • This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.

Details

The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig image

PoC

  1. This PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46

image

  1. go to “http://grav.local/admin/pages” then create new page with “Page Template” option set to “Form”.

image

  1. Then go to “Expert” and on Frontmatter input box used to following form template.

image

  1. Save page and go the preview or published page you will see the content of “/etc/passwd” file on the server.

image

Impact

This can allow a low privileged user to perform a full account takeover of other registered users including Administrators. This can also allow an adversary to read any file on the web server. And Due to insufficient permission verification , user who can write a page also can use frontmatter feature using this IDOR vulnerability PoC IDOR mention in CVE-2024-2792

Severity ?
8.5 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:36:43Z",
    "nvd_published_at": "2025-12-01T22:15:49Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n- A low privilege user account with page editing privilege can read any server files using \"Frontmatter\" form.\n- This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.\n- This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.\n\n### Details\n_The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig_\n![image](https://github.com/getgrav/grav/assets/28057767/953dbdf1-310f-4c8e-866c-8470d70cc11d)\n\n\n### PoC\n1.\tThis PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46\n \n![image](https://github.com/getgrav/grav/assets/28057767/6c8607d6-cea3-4699-8a5a-8a04d047676f)\n\n2.\tgo to \u201chttp://grav.local/admin/pages\u201d then create new page with \u201cPage Template\u201d option set to \u201cForm\u201d.\n \n![image](https://github.com/getgrav/grav/assets/28057767/451fe8bc-2e2e-4f8a-a548-385aca6d5504)\n\n3.\tThen go to \u201cExpert\u201d and on Frontmatter input box used to following form template.\n\n![image](https://github.com/getgrav/grav/assets/28057767/9e44758a-021a-45fd-9e26-03abbf8095ef)\n\n4.\tSave page and go the preview or published page you will see the content of \u201c/etc/passwd\u201d file on the server.\n \n![image](https://github.com/getgrav/grav/assets/28057767/94dc2363-10e1-4e74-81e4-6c7a09db4dff)\n\n\n\n### Impact\nThis can allow a low privileged user to perform a full account takeover of other registered users including Administrators. This can also allow an adversary to read any file on the web server. And Due to insufficient permission verification , user who can write a page also can use frontmatter feature using this IDOR vulnerability [PoC IDOR](https://www.youtube.com/watch?v=EU1QA0idoWE\u0026ab_channel=%EA%B9%80%EC%A2%85%EB%AF%BC) mention in [CVE-2024-2792](https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v)",
  "id": "GHSA-p4ww-mcp9-j6f2",
  "modified": "2025-12-02T00:36:44Z",
  "published": "2025-12-02T00:36:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66300"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav is vulnerable to Arbitrary File Read"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.