CVE-2020-36955
Persistent XSS in Grav CMS Admin Plugin Allows Script Injection
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grav | cms | 1.6.30 |
| grav | admin_plugin | to 1.9.18 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a persistent cross-site scripting (XSS) flaw in Grav CMS 1.6.30 with Admin Plugin 1.9.18. Authenticated attackers can inject malicious JavaScript code into the 'page title' field when creating a new page. This malicious script is stored and later executed whenever the page is viewed in the admin panel or on the public site, due to improper sanitization or encoding of the page title input. [1, 2]
How can this vulnerability impact me? :
The impact of this vulnerability is that an authenticated attacker can execute arbitrary JavaScript code in the context of the Grav CMS admin panel or the public site. This can lead to unauthorized actions such as session hijacking, defacement, or other malicious activities that exploit the victim's browser. Since the script is persistent, it remains active whenever the affected page is viewed, increasing the risk of exploitation. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a script tag into the 'Page Title' field of the Grav CMS admin panel and observing if the script executes when the page is viewed. For example, log in to the Grav CMS admin panel, navigate to the 'Pages' section, and create a new page with the title containing a script tag such as `<script>alert(1337)</script>`. After saving, preview the page or visit the front-end URL to see if the alert executes. Additionally, you can monitor POST requests to `/grav-admin/admin/pages` with suspicious payloads in the `data[title]` parameter. There are no specific command-line tools or commands provided, but manual testing via the admin interface or intercepting HTTP requests with tools like curl or Burp Suite can be used. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Grav CMS admin panel to trusted users only, ensuring that only authenticated and authorized users can create or edit pages. Avoid entering untrusted input into the 'Page Title' field. Applying any available patches or updates to Grav CMS and the Admin Plugin that address this vulnerability is recommended. If patches are not available, consider implementing input validation or sanitization on the 'Page Title' field to prevent script injection. Monitoring and reviewing newly created pages for suspicious content can also help mitigate exploitation. [2]