getgrav/grav is vulnerable to cross-site scripting (XSS) attacks. During uploading of a new avatar, parameters sent via SVG files are not sanitized, allowing an attacker to inject arbitrary Javascript into a victim’s browser.
CPE | Name | Operator | Version |
---|---|---|---|
getgrav/grav | le | 1.7.0-beta.7 |