Grav
is vulnerable to XSS
. It is possible to use :
instead of :
in <a>
tags.
Payload:
<a href>CLICK HERE</a>
1: Edit a page with the payload (user with low privileges).
2: Check out the target page and click on CLICK HERE
.
This vulnerability is capable of executing JS code.