Featured image of post CVE-2025-66308
XSS Moderate Grav Security WebApp

CVE-2025-66308

Cross-Site Scripting (XSS) Stored

CVE-2025-66308: Cross-Site Scripting (XSS) Stored endpoint /admin/config/site parameter data[taxonomies]

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-66308

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.

Details

Vulnerable Endpoint: POST /admin/config/site

Parameter: data[taxonomies]

The application does not properly validate or sanitize input in the data[taxonomies] field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser.

PoC

Payload

1

"><script>alert('XSS-PoC')</script>

Steps to Reproduce:

  • Log in to the Grav Admin Panel with sufficient permissions to modify site configuration.
  • Navigate to Configuration > Site.
  • In the Taxonomies Types field (which maps to data[taxonomies]), insert the payload.
  • Save the configuration.

  • Go on Pages and click on one of them.

  • The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.

  • The HTTP request submitted during this process contains the vulnerable parameter and payload:

Impact

  • Session hijacking: Stealing cookies or authentication tokens to impersonate users.
  • Credential theft: Harvesting usernames and passwords using malicious scripts.
  • Malware delivery: Distributing unwanted or harmful code to victims.
  • Privilege escalation: Compromising administrative users through persistent scripts.
  • Data manipulation or defacement: Changing or disrupting site content.
  • Reputation damage: Eroding trust among site users and administrators.

Reference

https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f

Finder

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2026 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy