Khanmarshai

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 2.0.0-beta.2 **Description** A low-privileged user with page creation permissions can perform stored Cross-Site Scripting (XSS) by injecting an `svg` element. This occurs because the XSS filter in the `detectXss()` function uses a regular expression for `on events` that fails to detect unquoted event handlers. The issue is located in the `system/src/Grav/Common/Security.php` file and affects the 'admin/pages/<page>' endpoint. This XSS can be escalated to exfiltrate sensitive system information from the '/admin/config/info' endpoint when visited by a Super Admin. An attacker can capture the `admin nonce`, which may be used to bypass CSRF protections and potentially lead to Remote Code Execution (RCE) and full server compromise. **Recommendations** Update to version 2.0.0-beta.2 or later. As a temporary workaround, restrict the ability of low-privileged users to create or edit pages until the update is applied.