Grav Stored Cross-Site Scripting Vulnerability in Page Editing Functionality

A stored cross-site scripting vulnerability has been identified in Grav versions prior to 1.7.49.5. This issue allows authenticated low-privileged users with content editing permissions to inject malicious JavaScript into editable fields. The injected payloads are stored on the server and executed when other users view or edit the affected page.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's session. This could lead to session hijacking, cookie theft, extraction of CSRF tokens, execution of JavaScript actions as another user, unauthorized administrative actions if an admin views the injected page, and potential defacement or phishing attacks via script injection.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges and permission to edit content can inject JavaScript payloads into editable fields. Once the payload is saved, it will execute automatically when another user views or edits the page.