Grav Stored Cross-Site Scripting Vulnerability in Event Attributes

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Grav versions prior to 2.0.0-beta.2. This issue allows publisher-level accounts to execute arbitrary JavaScript. The vulnerability arises from a blacklist bypass in the 'detectXss()' function, which fails to properly handle unquoted HTML event attributes. As a result, malicious scripts can be injected and executed when the content is viewed.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected scripts are executed in the context of the user viewing the content. This could lead to session hijacking or unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, a publisher-level account can inject an image tag with an unquoted 'onerror' event attribute into a vulnerable content field. The 'onerror' attribute can be used to execute JavaScript, such as stealing cookies with 'alert(document.cookie)'.

Remediation

Users can update to Grav version 2.0.0-beta.2 or later, where this vulnerability has been fixed.