CVE-2018-5233
published 2018-03-19CVE-2018-5233: Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web…
PriorityP335medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.40%
87.3th percentile
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | >= 0 < 1.3.0 | 1.3.0 |
| getgrav | grav_cms | < 1.3.0 | 1.3.0 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grav CMS Cross-site scripting (XSS) vulnerability
osv·2022-05-14
CVE-2018-5233 [MEDIUM] Grav CMS Cross-site scripting (XSS) vulnerability
Grav CMS Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in `system/src/Grav/Common/Twig/Twig.php` in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
GHSA
Grav CMS Cross-site scripting (XSS) vulnerability
ghsa·2022-05-14
CVE-2018-5233 [MEDIUM] CWE-79 Grav CMS Cross-site scripting (XSS) vulnerability
Grav CMS Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in `system/src/Grav/Common/Twig/Twig.php` in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
No detection rules found.
Nuclei
Grav CMS <1.3.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2018-5233 [MEDIUM] Grav CMS <1.3.0 - Cross-Site Scripting
Grav CMS alert(document.domain)'
- type: word
part: body
words:
- '/themes/grav'
- 'Grav Admin Login'
- 'data-grav-'
condition: or
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 490a0046304402202f6ad79f43c53ab22ff77489211a2c9186ec700475f35321572169c386fb614a0220059ac8299e5c6e7bf768d34c1ba95f1ab721b9e61f403aca4164125e97a18604:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2018/03/15/1https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/http://www.openwall.com/lists/oss-security/2018/03/15/1https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/
2018-03-19
Published