Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the admin/pages/ endpoint due to insufficient sanitization of user-supplied input in the detectXss function. An...

Grav is Vulnerable to Stored XSS via Tag Injection

Summary A low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the...

XML External Entity (XXE) Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to XML External Entity XXE Injection in the simplexmlloadstring process when handling uploaded SVG files. An attacker can access sensitive files...

GHSA-3446-6MGW-F79P Grav is Vulnerable to XXE via SVG Upload

Dear Grav Security Team, A security vulnerability was discovered in Grav CMS that allows authenticated attackers to read arbitrary files from the server through XML External Entity XXE injection. Vulnerability Summary | Field | Details | |-------|---------| | Vulnerability Type | XML External...

GHSA-RR73-568V-28F8 Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...

Improper Enforcement of a Single, Unique Action

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Improper Enforcement of a Single, Unique Action through the user creation process. An attacker can remove administrative privileges and disrup...

Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...

GHSA-3F29-PQWF-V4J4 Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...

Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...

Improper Input Validation

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Improper Input Validation via the register process. An attacker can gain unauthorized administrative privileges by submitting crafted groups o...

GHSA-C2Q3-P4JR-C55F Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary...

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of taxonomy field values in the admin panel, where user-supplied input is output using the |raw filt...

Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary...

GHSA-W48R-JPPP-RCFW Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Summary An authenticated user with administrative privileges can achieve Remote Code Execution RCE by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives...

Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Summary An authenticated user with administrative privileges can achieve Remote Code Execution RCE by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives...

GHSA-R945-H4VM-H736 Grav API Privilege Escalation to Super Admin

Summary An insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any authenticated user with basic API access api.access to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator...

Grav API Privilege Escalation to Super Admin

Summary An insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any authenticated user with basic API access api.access to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator...

Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection

Summary Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletio...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the SessionMiddleware process when the X-Admin-Token HTTP header is accepted from the client and its raw value is used as the authenticated user ID if no Kratos session cookie ...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the SessionMiddleware process when the X-Admin-Token HTTP header is accepted from the client and its raw value is used as the authenticated user ID if no Kratos session cookie ...