{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2020-37256", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-06-22T21:55:13.786Z", "datePublished": "2026-06-25T21:41:00.831Z", "dateUpdated": "2026-06-27T02:27:57.205Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-25T21:41:00.831Z" }, "datePublic": "2020-12-10T00:00:00.000Z", "title": "Grav - Cross-Site Scripting in Admin Plugin Page Editor", "descriptions": [ { "lang": "en", "value": "Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access." } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE" } ] } ], "affected": [ { "vendor": "Grav", "product": "Grav", "defaultStatus": "unaffected", "versions": [ { "version": "0", "status": "affected", "versionType": "semver", "lessThan": "1.6.30" }, { "version": "1.6.30", "status": "unaffected", "versionType": "semver" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav-plugin-admin:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.30" } ] } ] } ], "metrics": [ { "format": "CVSS", "cvssV4_0": { "version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM" } }, { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM" } } ], "references": [ { "url": "https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9", "name": "GitHub Security Advisory (GHSA-cvmr-6428-87w9)", "tags": [ "vendor-advisory" ] }, { "name": "VulnCheck Advisory: Grav - Cross-Site Scripting in Admin Plugin Page Editor", "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/grav-cross-site-scripting-in-admin-plugin-page-editor" } ], "credits": [ { "lang": "en", "value": "ShrubberyRubbery", "type": "analyst" } ], "x_generator": { "engine": "vulncheck-endgame" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-27T02:27:40.463020Z", "id": "CVE-2020-37256", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-27T02:27:57.205Z" } } ] } }