stored xss in getgrav/grav

Valid

Reported on

Mar 26th 2022

Description

Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage

Proof of Concept

1. A low-priv user create a page with the following payload:

a'"></title></script><img src=x onerror=confirm(document.domain)></p>

2. Victim visit the page and see xss is executed

XSS alert will show the domain name.

Impact

Attacker can execute arbitrary javascript code in the victim's browser

Occurrences

Security.php L32-L78

Security.php L150-L265

Security.php L83-L143

We are processing your report and will contact the getgrav/grav team within 24 hours. 2 years ago

We have contacted a member of the getgrav/grav team and are waiting to hear back 2 years ago

We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 2 years ago

A getgrav/grav maintainer modified the report

2 years ago

A getgrav/grav maintainer

commented 2 years ago

Maintainer

I consider admin privileges to be high -- you do need an admin account to perform this attack.

I was able to reproduce the issue.

A getgrav/grav maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

Matias Griese

commented 2 years ago

Maintainer

Should be fixed now, waiting for a release.

We have sent a fix follow up to the getgrav/grav team. We will try again in 7 days. 2 years ago

We have sent a second fix follow up to the getgrav/grav team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the getgrav/grav team. This report is now considered stale. 2 years ago

Matias Griese marked this as fixed in 1.7.33 with commit 1c0ed4 2 years ago

Matias Griese has been awarded the fix bounty

This vulnerability will not receive a CVE

Security.php#L32-L78 has been validated

Security.php#L83-L143 has been validated

Security.php#L150-L265 has been validated

to join this conversation

We are processing your report and will contact the getgrav/grav team within 24 hours. 2 years ago

We have contacted a member of the getgrav/grav team and are waiting to hear back 2 years ago

We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 2 years ago

A getgrav/grav maintainer modified the report

2 years ago

A getgrav/grav maintainer

commented 2 years ago

Maintainer

I consider admin privileges to be high -- you do need an admin account to perform this attack.

I was able to reproduce the issue.

A getgrav/grav maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

Matias Griese

commented 2 years ago

Maintainer

Should be fixed now, waiting for a release.

We have sent a fix follow up to the getgrav/grav team. We will try again in 7 days. 2 years ago

We have sent a second fix follow up to the getgrav/grav team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the getgrav/grav team. This report is now considered stale. 2 years ago

Matias Griese marked this as fixed in 1.7.33 with commit 1c0ed4 2 years ago

Matias Griese has been awarded the fix bounty

This vulnerability will not receive a CVE

Security.php#L32-L78 has been validated

Security.php#L83-L143 has been validated

Security.php#L150-L265 has been validated

to join this conversation