n-day
CVE-2025-46198
Tyojong
2025. 7. 4. 20:52
| Vendor | Grav CMS |
| Version | v.1.7.46 <= Grav <= v.1.7.48 |
| Vulnerability Type | Cross Site Scripting(XSS) |
Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element
The ability to edit pages in the /admin page, which is available to authenticated attacker (editor role or permissions to publish)
POC
It is impossible to save when using common script tags
However, script execution is possible when using onerror attribute of an img element.
It doesn't even come up with a warning
