CVE-2023-34452 MEDIUM

CVE-2023-34452: Grav vulnerable to Self Cross Site Scripting in /forgot_password

Vendor Getgrav
Product grav
Weakness CWE-79 · XSS
Published June 14, 2023
Last update December 18, 2024
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can potentially allow an attacker to execute arbitrary code on the user's browser, the impact is limited as it requires user interaction to trigger the vulnerability. As of time of publication, a patch is not available. Server-side validation should be implemented to prevent this vulnerability.

Key dates

02Disclosure timeline

June 14, 2023 CVE published
December 18, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-2796 Cross-site Scripting (XSS) - Stored in pimcore/pimcore CVE-2024-31914 IBM Sterling B2B Integrator cross-site scripting CVE-2024-56298 WordPress Pretty Simple Popup Builder Plugin <= 1.0.9 - Stored Cross Site Scripting (XSS) vulnerability CVE-2025-58624 WordPress Exchange Rates Plugin <= 1.2.5 - Cross Site Scripting (XSS) Vulnerability CVE-2024-0326 Premium Addons for Elementor <= 4.10.17 - Authenticated(Contributor+) Stored Cross-Site Scripting via Link Wrapper