CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26255 – PHP Phar archives could be uploaded and executed in Kirby
https://notcve.org/view.php?id=CVE-2020-26255
08 Dec 2020 — Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. • https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26253 – .dev domains treated as local in Kirby
https://notcve.org/view.php?id=CVE-2020-26253
08 Dec 2020 — Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public serv... • https://github.com/getkirby-v2/panel/commit/7f9ac1876bacb89fd8f142f5e561a02ebb725baa • CWE-346: Origin Validation Error •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16623
https://notcve.org/view.php?id=CVE-2018-16623
13 May 2019 — Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. Kirby versión V2.5.12 es propenso a un ataque XSS persistente por medio del parametro Title de "Site options" en el menú desplegable del panel de administración. • https://github.com/security-breachlock/CVE-2018-16623/blob/master/CVE-2018-16623.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16624
https://notcve.org/view.php?id=CVE-2018-16624
13 May 2019 — panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. En Kirby versión 2.5.12 el archivo panel/pages/home/edit permite una vulnerabilidad de tipo XSS por medio del título de una nueva página • https://github.com/security-breachlock/CVE-2018-16624/blob/master/CVE-2018-16624.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16630
https://notcve.org/view.php?id=CVE-2018-16630
28 Dec 2018 — Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file. Kirby v2.5.12 permite Cross-Site Scripting (XSS) mediante la opción Add "site files" para subir un archivo SVG. • https://github.com/security-breachlock/CVE-2018-16630/blob/master/Kirby_Insecure%20file%20validation.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16627
https://notcve.org/view.php?id=CVE-2018-16627
20 Dec 2018 — panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. panel/login en Kirby v2.5.12 permite la inyección de cabeceras del host mediante la característica "forget password". • https://github.com/security-breachlock/CVE-2018-16627 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16628
https://notcve.org/view.php?id=CVE-2018-16628
04 Dec 2018 — panel/login in Kirby v2.5.12 allows XSS via a blog name. panel/login en Kirby v2.5.12 permite Cross-Site Scripting (XSS) mediante un nombre de blog. • https://github.com/security-breachlock/CVE-2018-16628/blob/master/kirby10.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 3CVE-2017-16807 – Kirby CMS < 2.5.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16807
13 Nov 2017 — A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en Kirby Panel en versiones anteriores a la 2.3.3, las versiones 2.4.x anteriores a la 2.4.2 y las versiones 2.5.x anteriores a la 2.5.7 al mostrar un documento SVG especialmente preparado que ha sido subido como archivo de contenido. KirbyCM... • https://packetstorm.news/files/id/144965 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •