Grav Admin Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Grav Admin Plugin, prior to version 1.11.0-beta.1. The issue resides in the '/admin/pages/[page]' endpoint, where the 'data[header][template]' parameter can be exploited to inject malicious scripts. These scripts are saved in the page's frontmatter and executed automatically when the content is viewed in either the administrative interface or the frontend. This vulnerability allows for various attacks, including session hijacking, malware delivery, credential theft, data exposure, privilege escalation, website defacement, and reputation damage.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page, potentially leading to session hijacking, credential theft, and other malicious actions.

Reproduction

To reproduce this vulnerability, log into the Grav Admin Panel and navigate to the 'Pages' section. Create a new page or edit an existing one. In the 'Advanced > Template' field, insert a script payload, such as a JavaScript alert. Save the page, then return to the 'Pages' section and access the affected page. The injected script will execute in the browser.

Remediation

Users can update to Grav Admin Plugin version 1.11.0-beta.1 or later to address this vulnerability.