Headline
GHSA-rmw5-f87r-w988: Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.
Details
Vulnerable Endpoint: POST /admin/accounts/groups/Grupo
Parameter: data[readableName]
The application fails to properly validate and sanitize user input in the data[readableName] parameter. This lack of input handling allows attackers to inject arbitrary script content that is stored in the application and executed in the browser of any user who views the affected group configuration.
PoC
Payload:
<ScRipT>alert('PoC-XSS')</ScRipT>
Navigate to Accounts > Groups in the administrative panel.
Create a new group or edit an existing one.
In the Display Name field (
data[readableName]), insert the payload above and save the changes.
The following HTTP request was generated during this action:
- Next, go to Accounts > Users and open any user profile.
- The malicious script is executed immediately in the browser when the page loads, confirming the existence of a Stored XSS vulnerability.
Impact
Stored XSS vulnerabilities can result in serious consequences, including:
Session hijacking: Attackers can steal authentication cookies or tokens
Malware delivery: Inserting scripts that download malicious content
Credential theft: Capturing usernames and passwords through injected forms
Sensitive data exposure: Accessing data stored in the browser or the application
Browser takeover: Executing arbitrary commands in the user’s session
Phishing attacks: Redirecting users to fake login or malicious sites
Website defacement: Altering page content shown to users
Reputational damage: Undermining trust in the platform or organization
by CVE-Hunters
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.
Details
Vulnerable Endpoint: POST /admin/accounts/groups/Grupo
Parameter: data[readableName]
The application fails to properly validate and sanitize user input in the data[readableName] parameter. This lack of input handling allows attackers to inject arbitrary script content that is stored in the application and executed in the browser of any user who views the affected group configuration.
PoC
Payload:
<ScRipT>alert(‘PoC-XSS’)</ScRipT>
Navigate to Accounts > Groups in the administrative panel.
Create a new group or edit an existing one.
In the Display Name field (data[readableName]), insert the payload above and save the changes.
The following HTTP request was generated during this action:
Next, go to Accounts > Users and open any user profile.
The malicious script is executed immediately in the browser when the page loads, confirming the existence of a Stored XSS vulnerability.
Impact
Stored XSS vulnerabilities can result in serious consequences, including:
Session hijacking: Attackers can steal authentication cookies or tokens
Malware delivery: Inserting scripts that download malicious content
Credential theft: Capturing usernames and passwords through injected forms
Sensitive data exposure: Accessing data stored in the browser or the application
Browser takeover: Executing arbitrary commands in the user’s session
Phishing attacks: Redirecting users to fake login or malicious sites
Website defacement: Altering page content shown to users
Reputational damage: Undermining trust in the platform or organization
by CVE-Hunters
References
- GHSA-rmw5-f87r-w988
- https://nvd.nist.gov/vuln/detail/CVE-2025-66312
- getgrav/grav-plugin-admin@99f6532