CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26253 – .dev domains treated as local in Kirby
https://notcve.org/view.php?id=CVE-2020-26253
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public server. • https://github.com/getkirby-v2/panel/commit/7f9ac1876bacb89fd8f142f5e561a02ebb725baa https://github.com/getkirby/kirby/releases/tag/3.3.6 https://github.com/getkirby/kirby/security/advisories/GHSA-2ccx-2gf3-8xvv https://packagist.org/packages/getkirby/cms https://packagist.org/packages/getkirby/panel • CWE-346: Origin Validation Error •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16623
https://notcve.org/view.php?id=CVE-2018-16623
Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. Kirby versión V2.5.12 es propenso a un ataque XSS persistente por medio del parametro Title de "Site options" en el menú desplegable del panel de administración. • https://github.com/security-breachlock/CVE-2018-16623/blob/master/CVE-2018-16623.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16624
https://notcve.org/view.php?id=CVE-2018-16624
panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. En Kirby versión 2.5.12 el archivo panel/pages/home/edit permite una vulnerabilidad de tipo XSS por medio del título de una nueva página • https://github.com/security-breachlock/CVE-2018-16624/blob/master/CVE-2018-16624.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16630
https://notcve.org/view.php?id=CVE-2018-16630
Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file. Kirby v2.5.12 permite Cross-Site Scripting (XSS) mediante la opción Add "site files" para subir un archivo SVG. • https://github.com/security-breachlock/CVE-2018-16630/blob/master/Kirby_Insecure%20file%20validation.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16627
https://notcve.org/view.php?id=CVE-2018-16627
panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. panel/login en Kirby v2.5.12 permite la inyección de cabeceras del host mediante la característica "forget password". • https://github.com/security-breachlock/CVE-2018-16627 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •