Grav Admin2 Stored XSS via Pages API Partial Validation

Vulnerability Overview Vulnerability Name: Grav 2.0.0-rc.9 / Admin2 2.0.0-rc.14 - Stored XSS via missing XSS safety check in Admin2 Pages API partial validation Vulnerability Description: Grav 2.0.0-rc.9 and Admin2 2.0.0-rc.14 contain a stored Cross-Site Scripting (XSS) vulnerability located in the save process of the Admin2 Pages API. An authenticated non-superuser with page write permissions can inject arbitrary HTML event handler JavaScript into the page Markdown content via the endpoint. Because the Admin2/API partial page validation path does not perform an XSS safety check before saving the page content, malicious scripts are persistently stored and executed when rendered on the public frontend. Impact Scope Affected Versions: - Grav: 2.0.0-rc.9 - Admin2: 2.0.0-rc.14 - API plugin: 1.0.0-rc.14 Affected Users: - Any visitor who accesses the affected pages, including unauthenticated visitors and authenticated administrators. - Attackers require an authenticated account with page write permissions. Potential Impact: - Execution of arbitrary JavaScript code. - Leveraging the victim's browser session for same-origin requests. - Modification of page content or administrator status. - Reading of same-origin data. Remediation Fixed Versions: - Grav: 2.0.0-rc.9 - Admin2: 2.0.0-rc.14 - API plugin: 1.0.0-rc.15 Remediation Measures: - Add an XSS safety check to the Admin2/API partial page validation path to ensure content sanitization before saving page content. Proof of Concept (POC) Code Step 1 - Authenticate to the API Step 2 - Retrieve Page Content Step 3 - Inject Stored XSS Payload Step 4 - Verify Persistence Step 5 - Verify Public Rendering Step 6 - Verify JavaScript Execution System Information Grav CMS: 2.0.0-rc.9 Admin2 plugin: 2.0.0-rc.14 API plugin: 1.0.0-rc.14 Operating System: Any

Goal Reached Thanks to every supporter — we hit 100%!

Grav Admin2 Stored XSS via Pages API Partial Validation

More from this source