CVE-2021-32735 – Cross-site scripting (XSS) from field and configuration text displayed in the Panel
https://notcve.org/view.php?id=CVE-2021-32735
Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. • https://github.com/getkirby/kirby/releases/tag/3.5.7 https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2021-29460 – Cross-site scripting (XSS) from unsanitized uploaded SVG files
https://notcve.org/view.php?id=CVE-2021-29460
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `<script>` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can escalate their privileges if they get access to the Panel session of an admin user. • https://www.exploit-db.com/exploits/49808 http://packetstormsecurity.com/files/162359/Kirby-CMS-3.5.3.1-Cross-Site-Scripting.html https://github.com/getkirby/kirby/releases/tag/3.5.4 https://github.com/getkirby/kirby/security/advisories/GHSA-qgp4-5qx6-548g • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-26255 – PHP Phar archives could be uploaded and executed in Kirby
https://notcve.org/view.php?id=CVE-2020-26255
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. • https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881 https://github.com/getkirby/kirby/commit/db8f371b13036861c9cc5ba3e85e27f73fce5e09 https://github.com/getkirby/kirby/releases/tag/3.4.5 https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw https://packagist.org/packages/getkirby/cms https://packagist.org/packages/getkirby/panel • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-26253 – .dev domains treated as local in Kirby
https://notcve.org/view.php?id=CVE-2020-26253
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public server. • https://github.com/getkirby-v2/panel/commit/7f9ac1876bacb89fd8f142f5e561a02ebb725baa https://github.com/getkirby/kirby/releases/tag/3.3.6 https://github.com/getkirby/kirby/security/advisories/GHSA-2ccx-2gf3-8xvv https://packagist.org/packages/getkirby/cms https://packagist.org/packages/getkirby/panel • CWE-346: Origin Validation Error •
CVE-2018-16623
https://notcve.org/view.php?id=CVE-2018-16623
Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. Kirby versión V2.5.12 es propenso a un ataque XSS persistente por medio del parametro Title de "Site options" en el menú desplegable del panel de administración. • https://github.com/security-breachlock/CVE-2018-16623/blob/master/CVE-2018-16623.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •