Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b219f4decdfb · 2025-12-02T01:24:51.000Z
GHSA-858q-77wx-hhx6 GHSA-gqxx-248x-g29f GHSA-h756-wh59-hhjv
diff --git a/advisories/github-reviewed/2025/12/GHSA-858q-77wx-hhx6/GHSA-858q-77wx-hhx6.json b/advisories/github-reviewed/2025/12/GHSA-858q-77wx-hhx6/GHSA-858q-77wx-hhx6.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-858q-77wx-hhx6",
+  "modified": "2025-12-02T01:24:19Z",
+  "published": "2025-12-02T01:24:19Z",
+  "aliases": [
+    "CVE-2025-66297"
+  ],
+  "summary": "Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection",
+  "details": "### Summary\nA user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.\n\n### Details\nGrav CMS allows Twig to be executed in page templates if enabled in admin panel (process: twig: true).\nA user with publisher/editor privileges, that can create or edit pages and enable twig processing, can thereby inject arbitrary code that will execute in the context of the page render.\n\nThis enables exploitation of Grav internal APIs such as:\n- `grav.user.update()` and `grav.user.save()` for escalating the current user to super admin or admin\n- `grav.scheduler.addCommand()`, `grav.scheduler.save()` and `grav.scheduler.run()` for code execution\n\nThe Twig sandbox is not enforced in this context, allowing full access to any backend PHP object and method in the `system/src/Grav/Common` directory.\n\n### PoC\n#### Preconditions:\n- You must have access to a **non-admin** user with permission to create/edit pages (```admin.pages``` access)\n- For Privilege Escalation, you also have to be logged in to the site with the same user as the admin panel.\n\n#### Steps to reproduce Privilege Escalation:\n1. Login into the non-admin page (default at `cms-url/login`).\n2. Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -> Process: Twig: true).\n3. Inject the following payload into the page content to escalate privileges:\n```\n{% set _ = grav.user.update({\n    'access': {\n        'admin': {\n            'login': true,\n            'super': true\n        }\n    }\n}, {}) %}\n{% set _ = grav.user.save() %}\n```\n4. Visit the edited/created page url. The logged in user is now admin. (*Note: For the changes to show, you need to log out of the admin panel and relogin).*\n\n#### Steps to reproduce Remote Code Execution:\n1. Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -> Process: Twig: true).\n2. Inject the following payload into the page content to execute commands:\n```\n{% set _ = grav.scheduler.addCommand('curl', ['http://localhost:8000']) %}\n{% set _ = grav.scheduler.save() %}\n{% set _ = grav.scheduler.run() %}\n```\n3. Visit the page to trigger the execution. The system will issue a `curl` request.\n\n### Impact\nThis vulnerability allows:\n- Privilege Escalation from any user with page editing capabilities to full admin (super) access.\n- Remote Code Execution, as the attacker can run system arbitrary commands via the scheduler API.\n\nIt affects any Grav CMS installation where users with lower privileges are allowed to create or edit pages and Twig processing is not globally disabled.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "getgrav/grav"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.8.0-beta.27"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66297"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/getgrav/grav"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1336"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-02T01:24:19Z",
+    "nvd_published_at": "2025-12-01T21:15:53Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-gqxx-248x-g29f/GHSA-gqxx-248x-g29f.json b/advisories/github-reviewed/2025/12/GHSA-gqxx-248x-g29f/GHSA-gqxx-248x-g29f.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gqxx-248x-g29f",
+  "modified": "2025-12-02T01:23:19Z",
+  "published": "2025-12-02T01:23:19Z",
+  "aliases": [
+    "CVE-2025-66308"
+  ],
+  "summary": "Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`",
+  "details": "## Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/config/site` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[taxonomies]` parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `POST /admin/config/site`  \n**Parameter:** `data[taxonomies]`\n\nThe application does not properly validate or sanitize input in the `data[taxonomies]` field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser.\n\n---\n\n## PoC\n\n**Payload:**\n\n`\"><script>alert('XSS-PoC')</script>`\n\n### Steps to Reproduce:\n\n1. Log in to the _Grav_ Admin Panel with sufficient permissions to modify site configuration.\n    \n2. Navigate to **Configuration > Site**.\n    \n3. In the **Taxonomies Types** field (which maps to `data[taxonomies]`), insert the payload above:\n          \n    `\"><script>alert('XSS-PoC')</script>`\n    \n4. Save the configuration.\n\n<img width=\"1897\" height=\"628\" alt=\"Pasted image 20250718195942\" src=\"https://github.com/user-attachments/assets/2035fcaa-34fc-494c-a7ca-7c1e1f34b057\" />\n    \n5. Go on Pages and click on one of them\n\n<img width=\"932\" height=\"587\" alt=\"Pasted image 20250718200306\" src=\"https://github.com/user-attachments/assets/3c1995ba-2581-4e27-ae9d-a17e2eeb5b57\" />\n    \n6. The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.\n\n<img width=\"1204\" height=\"377\" alt=\"Pasted image 20250718200353\" src=\"https://github.com/user-attachments/assets/ad8ea7ea-603f-4b84-aa5a-120de0cb56ce\" />\n    \n7. The HTTP request submitted during this process contains the vulnerable parameter and payload:\n    \n<img width=\"757\" height=\"675\" alt=\"Pasted image 20250718200445\" src=\"https://github.com/user-attachments/assets/fbbe2b76-00eb-4426-8ddd-5cde2cc65d77\" />\n\n---\n\n## Impact\n\nStored XSS attacks can lead to severe consequences, including:\n\n- **Session hijacking:** Stealing cookies or authentication tokens to impersonate users\n    \n- **Credential theft:** Harvesting usernames and passwords using malicious scripts\n    \n- **Malware delivery:** Distributing unwanted or harmful code to victims\n    \n- **Privilege escalation:** Compromising administrative users through persistent scripts\n    \n- **Data manipulation or defacement:** Changing or disrupting site content\n    \n- **Reputation damage:** Eroding trust among site users and administrators\n    \n\n---\n\n## Discoverer\n\n[Marcelo Queiroz](www.linkedin.com/in/marceloqueirozjr) \n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "getgrav/grav"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.8.0-beta.27"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66308"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/getgrav/grav"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-02T01:23:19Z",
+    "nvd_published_at": "2025-12-01T22:15:50Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-h756-wh59-hhjv/GHSA-h756-wh59-hhjv.json b/advisories/github-reviewed/2025/12/GHSA-h756-wh59-hhjv/GHSA-h756-wh59-hhjv.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h756-wh59-hhjv",
+  "modified": "2025-12-02T01:23:05Z",
+  "published": "2025-12-02T01:23:05Z",
+  "aliases": [
+    "CVE-2025-66295"
+  ],
+  "summary": "Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption",
+  "details": "### Summary\nWhen a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. In my tests,  I was able to cause the Admin UI to write the following content into arbitrary .yaml files (including files like email.yaml, system.yaml, or other site YAML files like admin.yaml) — demonstrating arbitrary YAML write / overwrite via the Admin UI.\n\nExample observed content written by the Admin UI (test data):\nusername: ..\\Nijat\nstate: enabled\nemail: [EMAIL@gmail.com](mailto:EMAIL@gmail.com)\nfullname: 'Nijat Alizada'\nlanguage: en\ncontent_editor: default\ntwofa_enabled: false\ntwofa_secret: RWVEIHC2AFVD6FCR6UHCO3DS4HWXKKDT\navatar: { }\nhashed_password: $2y$10$wl9Ktv3vUmDKCt8o6u2oOuRZr1I04OE0YZf2sJ1QcAherbNnk1XVC\naccess:\nsite:\nlogin: true\n\n\n### Steps to Reproduce\n1. Log in to the Grav Admin UI as an administrator.\n2. Create a new user with the following values (example):\n        a. Username: ..\\POC-TOKEN-2025-09-29\n        b. Fullname: POC-TOKEN-2025-09-29\n        c. Email: poc+2025-09-29@example.test\n        d. Password: (any password)\nObserve that a YAML file containing the POC-TOKEN is written outside user/accounts/ (for example in the parent directory of user/accounts)\n\n\n### Impact\n1. Config corruption / service disruption: Overwriting system.yaml, email.yaml, or plugin config files with attacker-controlled YAML (even if limited to fields present in account YAML) could break functionality, disable services, or cause misconfiguration requiring recovery from backups.\n2. Account takeover, any user with create user privilege can modify other user's email and password by just creating a new user with the name \"..\\accounts\\USERNAME_OF_VICTIM\"\n\n\n### Proof of Concept\nhttps://github.com/user-attachments/assets/cf503d74-f765-4031-8e22-71f6b3630847",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "getgrav/grav"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.8.0-beta.27"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66295"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/getgrav/grav"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-02T01:23:05Z",
+    "nvd_published_at": "2025-12-01T21:15:53Z"
+  }
+}
