CVE-2018-1000529
Description
Grails Fields plugin <=2.2.7 has a stored XSS in the display tag; fixed in 2.2.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Grails Fields plugin <=2.2.7 has a stored XSS in the display tag; fixed in 2.2.8.
Vulnerability
The Grails Fields plugin, version 2.2.7 and earlier, contains a stored cross-site scripting (XSS) vulnerability in the display tag. Domain objects rendered by this tag are not sanitized; any HTML or JavaScript embedded in domain properties is executed in the browser. The vulnerability affects all Grails applications (including scaffolded apps) using Grails 3.3.5 and below, because those versions bundle the vulnerable plugin [1][2][3]. The fix was introduced in plugin version 2.2.8, which is used in Grails 3.3.6 [2].
Exploitation
An attacker can exploit this vulnerability by providing malicious HTML/JavaScript input in a domain object property that is later displayed using the Grails Fields plugin's display tag. No special network position or authentication is required for the attacker to inject the payload; the payload can be persisted (stored) via a form submission or bootstrap initialization and then rendered to other users. A proof-of-concept demonstrates triggering a JavaScript alert box when the view page is loaded [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session theft, credential harvesting, defacement, or redirection to malicious sites. The attack is stored, meaning the malicious payload persists and affects any user who views the affected page. The scope is the entire application, as the payload runs in the user's session [2][3].
Mitigation
The vulnerability is fixed in Grails Fields plugin version 2.2.8, which is included in Grails 3.3.6. Users of Grails 3.3.5 or lower should upgrade to at least Grails 3.3.6, or explicitly set the Fields plugin dependency in build.gradle to version 2.2.8 or higher [2][3]. No workaround is available other than upgrading. The plugin is open source and maintained under the Grails Plugin Collective [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.grails.plugins:fieldsMaven | < 2.2.8 | 2.2.8 |
org.grails:grails-coreMaven | < 3.3.6 | 3.3.6 |
Affected products
2- ghsa-coords2 versions
< 3.3.6+ 1 more
- (no CPE)range: < 3.3.6
- (no CPE)range: < 2.2.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Grails Fields plugin display tag does not encode or validate user-controllable input before rendering it in the browser, allowing stored cross-site scripting."
Attack vector
An attacker can inject arbitrary HTML or JavaScript into a domain object property that is later displayed by a Grails Fields plugin display tag. Because the plugin does not neutralize user-controllable input before outputting it as a web page [CWE-79], the injected script executes in the victim's browser. The attack can be triggered either through a domain object created during Bootstrap initialization with malicious content, or by a user entering malicious input through the scaffolded GUI [ref_id=1]. No authentication or special network position is required beyond the ability to supply data that gets persisted and later rendered by the display tag.
Affected code
The vulnerability resides in the Grails Fields plugin (version 2.2.7 and below), specifically in the display tag. The plugin is bundled with Grails scaffolding and is used to render domain object fields. The Grails Fields plugin's display tag does not encode or validate HTML or JavaScript content contained in domain object properties before rendering them in the browser [ref_id=1].
What the fix does
The vulnerability was fixed in Grails Fields plugin version 2.2.8, which is included in Grails version 3.3.6 [ref_id=1]. The advisory does not include a patch diff, but the fix involves properly encoding or validating domain object values before they are rendered by the display tag, preventing the execution of injected HTML or JavaScript. Users are recommended to upgrade to Grails 3.3.6 or higher, or to explicitly set the Grails Fields plugin dependency to version 2.2.8 or higher in build.gradle [ref_id=1].
Preconditions
- configThe application must use Grails Fields plugin version 2.2.7 or below (included by default in Grails 3.3.5 and below)
- inputAn attacker must be able to supply input that gets stored in a domain object property rendered by the display tag
Reproduction
Clone the PoC repository at https://github.com/martinfrancois/CVE-2018-1000529 and start the application locally. When the Grails application is fully initialized, it will display "Grails application running at http://localhost:8080 in environment: development". Open that URL in a browser, click on the link "myapp.TestController", and a JavaScript alert dialog with the text "XSS" will open, demonstrating the stored XSS [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-q25j-gcmv-5qppghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000529ghsaADVISORY
- github.com/grails-fields-plugin/grails-fields/issues/278ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.