CVE-2025-66312: Cross-Site Scripting (XSS) Stored endpoint /admin/accounts/groups/[group] parameter data[readableName]
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-66312
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.
Details
Vulnerable Endpoint: POST /admin/accounts/groups/Grupo
Parameter: data[readableName]
PoC
Payload
| |
Steps to Reproduce:
- Navigate to Accounts > Groups in the administrative panel.
- Create a new group or edit an existing one.
- In the Display Name field (which maps to
data[readableName]), insert the payload above and save the changes.
- The following HTTP request was generated during this action:
- Next, go to Accounts > Users and open any user profile.
- The malicious script is executed immediately in the browser when the page loads, confirming the existence of a Stored XSS vulnerability.
Impact
- Session hijacking: Stealing cookies or authentication tokens to impersonate users.
- Credential theft: Harvesting usernames and passwords using malicious scripts.
- Malware delivery: Distributing unwanted or harmful code to victims.
- Privilege escalation: Compromising administrative users through persistent scripts.
- Data manipulation or defacement: Changing or disrupting site content.
- Reputation damage: Eroding trust among site users and administrators.
Reference
https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988
Finder
By: CVE-Hunters