Grav Stored Cross-Site Scripting Vulnerability with Remote Code Execution Potential

A stored cross-site scripting vulnerability has been identified in Grav versions prior to 2.0.0-beta.2. This issue allows a low-privileged user, with the ability to create pages, to inject SVG elements that execute JavaScript. The injected script can be used to exfiltrate sensitive system information from the admin configuration page whenever a Super Admin visits the page. This vulnerability can be further escalated to remote code execution by chaining it with the admin nonce.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the injected script executing in the context of an admin user. This leads to unauthorized access to admin-level information and can be chained with other vulnerabilities to achieve remote code execution.

Reproduction

To reproduce this vulnerability, create a low-privileged user account that can create pages. Log in as this user and navigate to the page creation interface. Inject an SVG element containing a script payload into the page content. Once the page is saved, log in as a Super Admin and visit the injected page. The script will execute, sending a request to exfiltrate admin configuration information.

Remediation

Users are advised to update Grav to version 2.0.0-beta.2 or later, where this vulnerability has been fixed.