CVE-2023-34452

Name of the Vulnerable Software and Affected Versions Grav versions 1.7.42 and prior

Description The issue concerns a self-reflected cross-site scripting vulnerability in the "/forgot password" page. This can be exploited by injecting a script into the email parameter of the request, potentially allowing an attacker to execute arbitrary code on the user's browser. However, the impact is limited as it requires user interaction to trigger the issue.

Recommendations For Grav versions 1.7.42 and prior, as a temporary workaround, consider implementing server-side validation to prevent this issue, specifically validating the email parameter in the "/forgot password" page request. At the moment, there is no information about a newer version that contains a fix for this vulnerability.