Misha-N

**Name of the Vulnerable Software and Affected Versions** Grav versions 1.7.42 and prior **Description** The issue concerns a self-reflected cross-site scripting vulnerability in the "/forgot password" page. This can be exploited by injecting a script into the `email` parameter of the request, potentially allowing an attacker to execute arbitrary code on the user's browser. However, the impact is limited as it requires user interaction to trigger the issue. **Recommendations** For Grav versions 1.7.42 and prior, as a temporary workaround, consider implementing server-side validation to prevent this issue, specifically validating the `email` parameter in the "/forgot password" page request. At the moment, there is no information about a newer version that contains a fix for this vulnerability.