Fr0Stydev

**Name of the Vulnerable Software and Affected Versions** Grav form plugin versions prior to 9.1.0 **Description** An unauthenticated page-content overwrite exists via file upload. The file upload handler in `user/plugins/form/classes/Form.php` uses a `filename` parameter that can be controlled via POST requests. Because the `Utils::checkFilename()` function only blocks a limited set of extensions, files with extensions such as `.md` are permitted. When a form is configured with a permissive `accept` policy and the default `destination: self@` setting, an attacker can upload a malicious markdown file to overwrite the page's own content file. This can be leveraged to pivot to super-admin privileges by utilizing a `process: save` action. **Recommendations** Update the form plugin to version 9.1.0. As a temporary workaround, restrict the `accept` policy of file upload fields to exclude text-based extensions or avoid using the `destination: self@` configuration.