Cross-site Scripting (XSS) - Stored in getgrav/grav


Reported on

Jul 1st 2021

✍️ Description

Grav is vulnerable to XSS via bad SVG files. It is possible to upload an SVG file that contains errors after script tags.

🕵️‍♂️ Proof of Concept

SVG file content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
  1. Create an SVG file with the above content.
  2. Upload it through profile image update.
  3. Open the target URL.

PoC video.

💥 Impact

This vulnerability is capable of JavaScript code execution.

Renan Rocha submitted a
2 years ago
2 years ago


Hey Renan, how's it going my friend? I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the getgrav/grav team and are waiting to hear back 2 years ago
Renan Rocha
2 years ago


Hey Ziding, thank you !

getgrav/grav maintainer validated this vulnerability 2 years ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
getgrav/grav maintainer
2 years ago


Thank you for this Renan, we went with a slightly different patch where instead of emptying the file we move it into a quarantine folder. It is less drastic of an approach and gives the admins the opportunity to review the files. Sometimes SVG sanitization might fail even if not the file is not malicious.

You can check out the commit here

Thanks! Djamil

2 years ago


Thank you Djamil. Great job all round!

Djamil Legato marked this as fixed in 1.7.18 with commit 8af122 2 years ago
Djamil Legato has been awarded the fix bounty
This vulnerability will not receive a CVE
Security.php#L59 has been validated
to join this conversation