Grav Admin Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Grav admin plugin, specifically in versions prior to 1.11.0-beta.1. The issue arises in the '/admin/accounts/groups/Grupo' endpoint, where the 'data[readableName]' parameter is vulnerable to script injection. Attackers can exploit this by injecting malicious scripts that are stored on the server and executed automatically when the affected page is accessed by users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, navigate to 'Accounts > Groups' in the Grav admin panel. Create a new group or edit an existing one. In the 'Display Name' field, insert a script payload, such as a `<script>` tag, and save the changes. Then, access any user profile under 'Accounts > Users'. The injected script will execute in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Grav Admin Plugin version 1.11.0-beta.1 or later to address this vulnerability.