CVE-2025-66304

Exploit

EPSS 0.08%
Veröffentlicht 01.12.2025 21:40:11
Zuletzt bearbeitet 03.12.2025 18:57:54
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Getgrav ≫ Grav Version >= 1.7.46 < 1.8.0

Getgrav ≫ Grav Version1.8.0 Updatebeta1

Getgrav ≫ Grav Version1.8.0 Updatebeta10

Getgrav ≫ Grav Version1.8.0 Updatebeta11

Getgrav ≫ Grav Version1.8.0 Updatebeta12

Getgrav ≫ Grav Version1.8.0 Updatebeta13

Getgrav ≫ Grav Version1.8.0 Updatebeta14

Getgrav ≫ Grav Version1.8.0 Updatebeta15

Getgrav ≫ Grav Version1.8.0 Updatebeta16

Getgrav ≫ Grav Version1.8.0 Updatebeta17

Getgrav ≫ Grav Version1.8.0 Updatebeta18

Getgrav ≫ Grav Version1.8.0 Updatebeta19

Getgrav ≫ Grav Version1.8.0 Updatebeta2

Getgrav ≫ Grav Version1.8.0 Updatebeta20

Getgrav ≫ Grav Version1.8.0 Updatebeta21

Getgrav ≫ Grav Version1.8.0 Updatebeta22

Getgrav ≫ Grav Version1.8.0 Updatebeta23

Getgrav ≫ Grav Version1.8.0 Updatebeta24

Getgrav ≫ Grav Version1.8.0 Updatebeta25

Getgrav ≫ Grav Version1.8.0 Updatebeta26

Getgrav ≫ Grav Version1.8.0 Updatebeta3

Getgrav ≫ Grav Version1.8.0 Updatebeta4

Getgrav ≫ Grav Version1.8.0 Updatebeta5

Getgrav ≫ Grav Version1.8.0 Updatebeta6

Getgrav ≫ Grav Version1.8.0 Updatebeta7

Getgrav ≫ Grav Version1.8.0 Updatebeta8

Getgrav ≫ Grav Version1.8.0 Updatebeta9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.236

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.2	0.7	5.5	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7

Patch

https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-66304

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66304

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66304

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-66304