Grav Admin Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Grav Admin Plugin, prior to version 1.11.0-beta.1. The issue resides in the '/admin/config/site' endpoint, where the 'data[taxonomies]' parameter can be exploited to inject malicious scripts. These scripts are stored on the server and executed in the browsers of users accessing the affected site configuration, creating a persistent attack vector.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user’s browser when they access the affected site configuration.

Reproduction

To reproduce this vulnerability, log into the Grav Admin Panel with permissions to modify site configuration. Navigate to 'Configuration > Site' and in the 'Taxonomies Types' field, insert a script payload, such as a script tag containing JavaScript code, such as an alert. Save the configuration, then access the 'Pages' section and click on any page to trigger the execution of the injected script, demonstrating the stored cross-site scripting vulnerability.

Remediation

Users can update to Grav Admin Plugin version 1.11.0-beta.1 or later, where this vulnerability has been fixed.