#perl

**Endpoint**: `admin/config/system` **Submenu**: `Languages` **Parameter**: `Supported` **Application**: Grav v 1.7.48 --- ## Summary A Denial of Service (DoS) vulnerability was identified in the **"Languages"** submenu of the Grav **admin configuration panel** (`/admin/config/system`). Specifically, the `Supported` parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (`/`) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the `preg_match()` function with an **improperly constructed regular expression**, resulting in the following error: `preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244` Once triggered, the site becomes completely unavailable to all users. --- ## Details - **Vulnerable Endpoint**: `POST /admin/config/system` - **Submenu**: `Languages` - **Paramet...

## **Summary** An **IDOR (Insecure Direct Object Reference)** vulnerability in the Grav CMS Admin Panel allows **low-privilege users to access sensitive information** from other accounts. Although direct account takeover is not possible, **admin email addresses and other metadata can be exposed**, increasing the risk of phishing, credential stuffing, and social engineering. --- ## **Details** * **Endpoint:** `/admin/accounts/users/{username}` * **Tested Version:** Grav Admin 1.7.48 * **Affected Accounts:** Authenticated users with **0 privileges** (non-privileged accounts) **Description:** Requesting another user’s account details (e.g., `/admin/accounts/users/admin`) as a low-privilege user returns an HTTP **403 Forbidden** response. However, sensitive information such as the **admin’s email address** is still present in the **response source**, specifically in the `<title>` tag. **system/src/Grav/Common/Flex/Types/Users/UserCollection.php** <img width="700" height="327" alt="Sc...

### Summary ``` A path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. ``` ### PoC ``` To accurately demonstrate the maximum potential impact of this vulnerability, the testing environment was configured in a specific way: - Elevated Privileges: The application was run locally with the highest possible system privileges, operating under the **`root`** user account. - Objective: This configuration was chosen to unequivocally show that the path traversal vulnerability is not just a theoretical issue but can lead to a compl...

## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/accounts/groups/Grupo` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[readableName]` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. --- ## Details **Vulnerable Endpoint:** `POST /admin/accounts/groups/Grupo` **Parameter:** `data[readableName]` The application fails to properly validate and sanitize user input in the `data[readableName]` parameter. This lack of input handling allows attackers to inject arbitrary script content that is stored in the application and executed in the browser of any user who views the affected group configuration. --- ## PoC **Payload:** `<ScRipT>alert('PoC-XSS')</ScRipT>` 1. Navigate to **Accounts > Groups** in the administrative panel. 2. Create a new group or edi...

## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][metadata]`, `data[header][taxonomy][category]`, and `data[header][taxonomy][tag]` parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. --- ## Details **Vulnerable Endpoint:** `POST /admin/pages/[page]` **Parameters:** - `data[header][metadata]` - `data[header][taxonomy][category]` - `data[header][taxonomy][tag]` The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page's YAML frontmatter. When the page or met...

# DOS on the admin panel **Severity Rating:** Medium **Vector:** Denial Of Service **CVE:** XXX **CWE:** 400 - Uncontrolled Resource Consumption **CVSS Score:** 4.9 **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H ## Analysis A Denial of Service (DoS) vulnerability has been identified in the application related to the handling of `scheduled_at` parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the `scheduled_at` parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the `backup.yaml` file to correct the corrupted cron expression ## Proof of Concept 1) Change the value of `scheduled_at` parameter to `'` as shown in the following figures at the `http://127.0.0.1/admin/tools` endpoint, and observe the...

# Summary Affected versions of Better Auth allow an external request to configure `baseURL` when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users. This issue is only exploitable when `baseURL` is not explicitly configured (e.g., `BETTER_AUTH_URL` is missing) *and* the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached. # Details A combination of `X-Forwarded-Host` and `X-Forwarded-Proto` is implicitly trusted. This allows the first request to configure baseURL whenever it is not explicitly configured. Here's the code that reads the headers: <img width="631" height="219" alt="headers" src="https://github.com/user-attachments/assets/b3fb0078-a62f-4058-9d0b-4afbd30c4953" /> Here's the call to `getBaseURL()`, the result is assigned to `ctx.baseURL`. <i...

### Impact when using the extended query parser in express (`'query parser': 'extended'`), the `request.query` object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names > [!IMPORTANT] > the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser ### Patches the issue has been patched to ensure `request.query` is a plain object so `request.query` no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser ### Workaround this only impacts users using extended query parsing (`'query parser': 'extended'`), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue: #### provide `qs` directly and specify `plainObjects: true` ```js ap...

Hackers aren’t kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and “trusted” partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest invite, one link on a phone, one bug in a common tool, and suddenly your mail, chats, repos, and

Practicing good “operations security” is essential to staying safe online. Here's a complete guide for teenagers (and anyone else) who wants to button up their digital lives.