.. / CVE-2018-5233

Exploit for Grav CMS <1.3.0 - Cross-Site Scripting (CVE-2018-5233)

Description:

Grav CMS before 1.3.0 is vulnerable to cross-site scripting via system/src/Grav/Common/Twig/Twig.php and allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.

Nuclei Template

View the template here CVE-2018-5233.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2018/CVE-2018-5233.yaml

References:

http://www.openwall.com/lists/oss-security/2018/03/15/1
https://github.com/ARPSyndicate/kenzer-templates
https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2018-5233

.. / CVE-2018-5233 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Grav CMS <1.3.0 - Cross-Site Scripting (CVE-2018-5233)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2018-5233