CVE-2018-5233

Vulnerability

Grav CMS versions prior to 1.3.0 contain a reflected Cross-Site Scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php. The flaw occurs at lines 355 and 358, where unfiltered user input from PATH_INFO is passed into the $error_msg variable and rendered in the server response when an exception is generated. An attacker can trigger this by accessing /admin/tools/someunexistingpage with a crafted path segment [1][4].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by crafting a URL containing malicious JavaScript in the PATH_INFO segment. The attacker needs no authentication nor special network position, only the ability to trick a logged-in administrator into visiting the crafted link. For example, visiting /admin/tools/a--%3E%3Cimg%20src=x%20onerror=alert(1)%3E causes the alert(1) script to execute in the context of the victim's browser [1][4]. More advanced proofs of concept demonstrate capturing the admin's nonce and changing their password to achieve privilege escalation [4].

Impact

Successful exploitation allows an attacker to execute arbitrary web script or HTML in the administrative session of a logged-in Grav admin user. Since the vulnerability is in the admin plugin, the attacker can gain access to sensitive information (e.g., nonces) and perform administrative actions such as changing passwords, leading to full site compromise. The CVSS v3.0 score is 7.4 (High) with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N, indicating high confidentiality impact and no availability impact [3].

Mitigation

The vulnerability is fixed in Grav CMS version 1.3.0. Users should upgrade immediately. There is no known workaround for unpatched versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.