CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32735 – Cross-site scripting (XSS) from field and configuration text displayed in the Panel
https://notcve.org/view.php?id=CVE-2021-32735
02 Jul 2021 — Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. • https://github.com/getkirby/kirby/releases/tag/3.5.7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.6EPSS: 1%CPEs: 1EXPL: 4CVE-2021-29460 – Cross-site scripting (XSS) from unsanitized uploaded SVG files
https://notcve.org/view.php?id=CVE-2021-29460
27 Apr 2021 — Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `