CVE Catalog

CVE-2020-37256

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

Grav before version 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.

Risk Assessment

The risk for the organization includes system takeover by an attacker with page editor privileges, potentially leading to data theft, malware installation, and further attack escalation.

Recommendation

It is recommended to immediately update Grav to version 1.6.30 or later and review user permissions for page editor access.

Original NVD description (English source)

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS