Featured image of post CVE-2025-66309
XSS Moderate Grav Security WebApp

CVE-2025-66309

Cross-Site Scripting (XSS) Reflected

CVE-2025-66309: Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the “Blog Config” tab

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-66309

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter.

Details

Vulnerable Endpoint: GET /admin/pages/[page]

Parameter: data[header][content][items]

The application fails to properly validate and sanitize user input in the data[header][content][items] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.

PoC

Payload:

1

"><ImG sRc=x OnErRoR=alert('XSS-PoC3')>

  • Log in to the Grav Admin Panel and navigate to Pages.
  • Create a new page or edit an existing one.
  • In the Advanced > Blog Config > Items field (which maps to data[header][content][items]), insert the payload above.

  • Save the page.
  • The malicious payload is reflected and rendered by the application without proper sanitization. The JavaScript code is immediately executed in the browser.

Impact

  • Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
  • Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
  • Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
  • Stealing credentials: Attackers can steal a user's credentials.
  • Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
  • Defacing websites: Attackers can deface a website by altering its content.
  • Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
  • Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.

Reference

https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq

Finder

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2026 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy