CVE-2020-37256

Grav - Cross-Site Scripting in Admin Plugin Page Editor

CVSS 5.1 MEDIUMCWE-79

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

Grav · Grav

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9 https://www.vulncheck.com/advisories/grav-cross-site-scripting-in-admin-plugin-page-editor