GHSA-gqxx-248x-g29f

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.

---

Details

Vulnerable Endpoint: POST /admin/config/site
Parameter: data[taxonomies]

The application does not properly validate or sanitize input in the data[taxonomies] field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser.

---

PoC

Payload:

"><script>alert('XSS-PoC')</script>

Steps to Reproduce:

1. Log in to the Grav Admin Panel with sufficient permissions to modify site configuration.

2. Navigate to Configuration > Site.

3. In the Taxonomies Types field (which maps to data[taxonomies]), insert the payload above:

   "><script>alert('XSS-PoC')</script>

4. Save the configuration.

<img width="1897" height="628" alt="Pasted image 20250718195942" src="https://github.com/user-attachments/assets/2035fcaa-34fc-494c-a7ca-7c1e1f34b057" />

5. Go on Pages and click on one of them

<img width="932" height="587" alt="Pasted image 20250718200306" src="https://github.com/user-attachments/assets/3c1995ba-2581-4e27-ae9d-a17e2eeb5b57" />

6. The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.

<img width="1204" height="377" alt="Pasted image 20250718200353" src="https://github.com/user-attachments/assets/ad8ea7ea-603f-4b84-aa5a-120de0cb56ce" />

7. The HTTP request submitted during this process contains the vulnerable parameter and payload:

<img...