Vulnerability-Lookup

CVE-2021-32735 (GCVE-0-2021-32735)

Vulnerability from cvelistv5 – Published: 2021-07-02 14:45 – Updated: 2024-08-03 23:33

Title

Cross-site scripting (XSS) from field and configuration text displayed in the Panel

Summary

Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	getkirby	kirby	Affected: <= 3.5.5, <= 3.5.6

GSD-2021-32735

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-32735

Aliases

CVE-2021-32735

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-32735",
    "description": "Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel\u0027s `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form.",
    "id": "GSD-2021-32735"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-32735"
      ],
      "details": "Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel\u0027s `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form.",
      "id": "GSD-2021-32735",
      "modified": "2023-12-13T01:23:09.378831Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32735",
        "STATE": "PUBLIC",
        "TITLE": "Cross-site scripting (XSS) from field and configuration text displayed in the Panel"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "kirby",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c= 3.5.5, \u003c= 3.5.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "getkirby"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel\u0027s `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm",
            "refsource": "CONFIRM",
            "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm"
          },
          {
            "name": "https://github.com/getkirby/kirby/releases/tag/3.5.7",
            "refsource": "MISC",
            "url": "https://github.com/getkirby/kirby/releases/tag/3.5.7"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2f2w-349x-vrqm",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=3.5.6",
          "affected_versions": "All versions up to 3.5.6",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-10-21",
          "description": "Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel\u0027s `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form.",
          "fixed_versions": [
            "3.5.7"
          ],
          "identifier": "CVE-2021-32735",
          "identifiers": [
            "GHSA-2f2w-349x-vrqm",
            "CVE-2021-32735"
          ],
          "not_impacted": "All versions after 3.5.6",
          "package_slug": "packagist/getkirby/cms",
          "pubdate": "2021-07-02",
          "solution": "Upgrade to version 3.5.7 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32735",
            "https://github.com/getkirby/kirby/releases/tag/3.5.7",
            "https://github.com/advisories/GHSA-2f2w-349x-vrqm"
          ],
          "uuid": "63fec127-9a98-461d-9293-8e16f58d188d"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.5.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32735"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel\u0027s `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm"
            },
            {
              "name": "https://github.com/getkirby/kirby/releases/tag/3.5.7",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/getkirby/kirby/releases/tag/3.5.7"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2021-07-06T18:21Z",
      "publishedDate": "2021-07-02T15:15Z"
    }
  }
}

CNVD-2021-48509

Vulnerability from cnvd - Published: 2021-07-08

Title

Kirby跨站脚本漏洞（CNVD-2021-48509）

Description

Kirby是一套基于文件的内容管理系统（CMS）。 Kirby 3.5.5 和 3.5.6存在跨站脚本漏洞，该漏洞源于面板的“ListItem”组件（例如用于页面和文件部分）在页面标题中按原样显示 HTML，攻击者可利用该漏洞进行跨站点脚本攻击。

Severity

低

Patch Name

Kirby跨站脚本漏洞（CNVD-2021-48509）的补丁

Patch Description

Kirby是一套基于文件的内容管理系统（CMS）。 Kirby 3.5.5 和 3.5.6存在跨站脚本漏洞，该漏洞源于面板的“ListItem”组件（例如用于页面和文件部分）在页面标题中按原样显示 HTML，攻击者可利用该漏洞进行跨站点脚本攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序,请及时关注更新： https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm

Reference

https://github.com/getkirby/kirby/releases/tag/3.5.7

Impacted products

Name
['Kirby Kirby 3.5.5', 'Kirby Kirby 3.5.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-32735"
    }
  },
  "description": "Kirby\u662f\u4e00\u5957\u57fa\u4e8e\u6587\u4ef6\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\n\nKirby 3.5.5 \u548c 3.5.6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u9762\u677f\u7684\u201cListItem\u201d\u7ec4\u4ef6\uff08\u4f8b\u5982\u7528\u4e8e\u9875\u9762\u548c\u6587\u4ef6\u90e8\u5206\uff09\u5728\u9875\u9762\u6807\u9898\u4e2d\u6309\u539f\u6837\u663e\u793a HTML\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u8de8\u7ad9\u70b9\u811a\u672c\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f,\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-48509",
  "openTime": "2021-07-08",
  "patchDescription": "Kirby\u662f\u4e00\u5957\u57fa\u4e8e\u6587\u4ef6\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\r\n\r\nKirby 3.5.5 \u548c 3.5.6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u9762\u677f\u7684\u201cListItem\u201d\u7ec4\u4ef6\uff08\u4f8b\u5982\u7528\u4e8e\u9875\u9762\u548c\u6587\u4ef6\u90e8\u5206\uff09\u5728\u9875\u9762\u6807\u9898\u4e2d\u6309\u539f\u6837\u663e\u793a HTML\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u8de8\u7ad9\u70b9\u811a\u672c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Kirby\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-48509\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Kirby Kirby 3.5.5",
      "Kirby Kirby 3.5.6"
    ]
  },
  "referenceLink": "https://github.com/getkirby/kirby/releases/tag/3.5.7",
  "serverity": "\u4f4e",
  "submitTime": "2021-07-05",
  "title": "Kirby\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-48509\uff09"
}

GHSA-2F2W-349X-VRQM

Vulnerability from github – Published: 2021-07-02 19:18 – Updated: 2023-04-14 19:24

Summary

Cross-site scripting (XSS) from field and configuration text displayed in the Panel

Details

On Saturday, @hdodov reported that the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks.

We used his report as an opportunity to find and fix XSS issues related to dynamic site content throughout the Panel codebase.

Impact

Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.

Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

Visitors without Panel access can only use this attack vector if your site allows changing site data from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.

Patches

Kirby 3.5.7 contains patches for the following issues we found during our investigation:

Some translated error and info messages contain placeholders to dynamically insert information like page titles or filenames. While the translation strings are allowed to contain HTML formatting, the dynamic data needs to be protected against XSS attacks. Kirby 3.5.7 now escapes the dynamic data.
Our Box component used to display information for the user supports HTML output for specific use-cases. We found out that the dialogs used in the files, pages and users fields as well as the fields section used it to display raw exception or error messages. These messages are now escaped.
The users and settings views display user and language data using the ListItem component that supports HTML. We now escape the dynamic data before it is passed to the ListItem component.
Some of our sections and fields support HTML for their text, help and/or info properties. This allows custom formatting from the blueprint, but also caused the original issue reported to us that allowed to inject HTML code from the content itself. Kirby 3.5.7 now escapes the default text displayed by the files and pages sections (filename/page title), the files, pages and users fields (filename/page title/username) and by query-based checkboxes, radio, tags and multiselect fields (default text depending on the used query).

Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.5.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-02T16:38:10Z",
    "nvd_published_at": "2021-07-02T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "On Saturday, @hdodov reported that the Panel\u0027s `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks.\n\nWe used his report as an opportunity to find and fix XSS issues related to dynamic site content throughout the Panel codebase.\n\n### Impact\n\nCross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of other users. In the Panel, a harmful script can for example trigger requests to Kirby\u0027s API with the permissions of the victim.\n\nSuch vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.\n\nVisitors without Panel access can only use this attack vector if your site allows changing site data from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.\n\n### Patches\n\n[Kirby 3.5.7](https://github.com/getkirby/kirby/releases/tag/3.5.7) contains patches for the following issues we found during our investigation:\n\n- Some translated error and info messages contain placeholders to dynamically insert information like page titles or filenames. While the translation strings are allowed to contain HTML formatting, the dynamic data needs to be\u00a0protected against XSS attacks. Kirby 3.5.7 now escapes the dynamic data.\n- Our `Box` component used to display information for the user supports HTML output for specific use-cases. We found out that the dialogs used in the `files`, `pages` and `users` fields as well as the `fields` section used it to display raw exception or error messages. These messages are now escaped.\n- The users and settings views display user and language data using the `ListItem` component that supports HTML. We now escape the dynamic data before it is passed to the `ListItem` component.\n- Some of our sections and fields support HTML for their `text`, `help` and/or `info` properties. This allows custom formatting from the blueprint, but also caused the original issue reported to us that allowed to inject HTML code from the content itself. Kirby 3.5.7 now escapes the default `text` displayed by the `files` and `pages` sections (filename/page title), the `files`, `pages` and `users` fields (filename/page title/username) and by query-based `checkboxes`, `radio`, `tags` and `multiselect` fields (default text depending on the used query).\n\n**Note:** Custom `text`, `help` and `info` queries in blueprints are *not* escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.",
  "id": "GHSA-2f2w-349x-vrqm",
  "modified": "2023-04-14T19:24:30Z",
  "published": "2021-07-02T19:18:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/f5ead62f8510158bed5baf58ca0e851875778a09"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getkirby/kirby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.5.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site scripting (XSS) from field and configuration text displayed in the Panel"
}

FKIE_CVE-2021-32735

Vulnerability from fkie_nvd - Published: 2021-07-02 15:15 - Updated: 2024-11-21 06:07

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/getkirby/kirby/releases/tag/3.5.7	Patch, Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm	Patch, Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getkirby/kirby/releases/tag/3.5.7	Patch, Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm	Patch, Release Notes, Third Party Advisory

Impacted products

	Vendor	Product	Version
	getkirby	kirby	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "96192C7D-3864-4CD4-A5D2-A3921230D9C8",
              "versionEndExcluding": "3.5.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel\u0027s `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form."
    },
    {
      "lang": "es",
      "value": "Kirby es un sistema de administraci\u00f3n de contenidos. En las versiones 3.5.5 y 3.5.6 de Kirby CMS, el componente \"ListItem\" del Panel (usado en la secci\u00f3n de p\u00e1ginas y archivos, por ejemplo) mostraba HTML en los t\u00edtulos de las p\u00e1ginas tal cual. Esto pod\u00eda ser usado para ataques de tipo cross-site scripting (XSS). Unos usuarios autenticados maliciosos del Panel pueden escalar sus privilegios si consiguen acceder a la sesi\u00f3n del Panel de un usuario administrador. Unos visitantes sin acceso al Panel pueden usar el vector de ataque si el sitio permite cambiar los datos del sitio desde un formulario del frontend. Kirby versi\u00f3n 3.5.7 parchea la vulnerabilidad. Como soluci\u00f3n alternativa parcial, los administradores del sitio pueden protegerse contra los ataques de visitantes sin acceso al Panel al comprobar o sanear los datos proporcionados desde el formulario frontend"
    }
  ],
  "id": "CVE-2021-32735",
  "lastModified": "2024-11-21T06:07:38.400",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-07-02T15:15:10.503",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/getkirby/kirby/releases/tag/3.5.7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/getkirby/kirby/releases/tag/3.5.7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-80"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-32735 (GCVE-0-2021-32735)

GSD-2021-32735

CNVD-2021-48509

GHSA-2F2W-349X-VRQM

Impact

Patches

FKIE_CVE-2021-32735

Tags

Sightings

Nomenclature