CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26255 – PHP Phar archives could be uploaded and executed in Kirby
https://notcve.org/view.php?id=CVE-2020-26255
08 Dec 2020 — Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. • https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26253 – .dev domains treated as local in Kirby
https://notcve.org/view.php?id=CVE-2020-26253
08 Dec 2020 — Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public serv... • https://github.com/getkirby-v2/panel/commit/7f9ac1876bacb89fd8f142f5e561a02ebb725baa • CWE-346: Origin Validation Error •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 3CVE-2017-16807 – Kirby CMS < 2.5.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16807
13 Nov 2017 — A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en Kirby Panel en versiones anteriores a la 2.3.3, las versiones 2.4.x anteriores a la 2.4.2 y las versiones 2.5.x anteriores a la 2.5.7 al mostrar un documento SVG especialmente preparado que ha sido subido como archivo de contenido. KirbyCM... • https://packetstorm.news/files/id/144965 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •