Grav Stored Cross-Site Scripting Vulnerability via Markdown Media Attributes

A stored cross-site scripting vulnerability has been identified in Grav versions prior to 2.0.0-beta.2. The issue allows authenticated users with page editing permissions to inject executable JavaScript event-handler attributes into images using Grav's Markdown media action syntax. This is achieved by exploiting how Markdown image query parameters are processed and converted into media actions, ultimately allowing the injection of arbitrary HTML attributes that are executed when the image is rendered.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the affected page. This could target administrators or reviewers in a multi-user Grav installation.

Reproduction

To reproduce this vulnerability, an authenticated user with page editing rights can insert a Markdown image reference into the page content. The image URL should include an 'attribute' query parameter with a JavaScript payload, such as an 'onload' event handler. Once the page is saved and viewed, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Grav version 2.0.0-beta.2 or later, where this vulnerability has been fixed.