Vulnerability Description
Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can potentially allow an attacker to execute arbitrary code on the user's browser, the impact is limited as it requires user interaction to trigger the vulnerability. As of time of publication, a patch is not available. Server-side validation should be implemented to prevent this vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Getgrav | Grav | <= 1.7.42 |
Related Weaknesses (CWE)
References
- https://github.com/getgrav/grav/security/advisories/GHSA-xcr8-cc2j-62fcExploitVendor Advisory
- https://github.com/getgrav/grav/security/advisories/GHSA-xcr8-cc2j-62fcExploitVendor Advisory
FAQ
What is CVE-2023-34452?
CVE-2023-34452 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a sc...
How severe is CVE-2023-34452?
CVE-2023-34452 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34452?
Check the references section above for vendor advisories and patch information. Affected products include: Getgrav Grav.