Grav Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in Grav version 1.7.45. This issue allows users with limited page creation rights to inject malicious JavaScript into their pages, which could be executed by anyone viewing the page, including administrators. The vulnerability arises from inadequate input validation and content filtering, enabling the execution of unauthorized scripts.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, log into a user account with restricted page creation privileges. Create a page and include a link with a double-click event that triggers a JavaScript alert. Once the page is saved, navigate to it and double-click the link to confirm that the alert pops up, indicating that the XSS payload was executed. For a more advanced proof of concept, the injected link can be modified to load a script from an external server, demonstrating the potential for more harmful exploitation.