Grav CMS XSS

Disclosure date:  9/23/19

Grav CMS v1.6.16 and possibly before are affected by numerous Cross Site Script vulnerabilities.  This vulnerability can be exploited with or without an authenticated account.  

All things considered, this is fairly benign as far as I can tell.  There are a number of built-in protections and I think this is just a small hole that would be difficult (for me) to exploit.  That said, I like the exercise.  

Anyway, the bug was reported to their Github page and I'm done playing around.  You can exploit this through Page add and through comments if you install those.

From Page add, if we try to use the typical XSS:





We get denied.  There are actually quite a few techniques which do not work.  But after some hunting:





When we save:





Like I said, not really much to do here other than the alert popup as far as I can tell.