CVE-2021-29460
published 2021-04-27CVE-2021-29460: Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link…
PriorityP335medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
3.17%
86.4th percentile
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. Visitors without Panel access can only use this attack vector if your site allows SVG file uploads in frontend forms and you don't already sanitize uploaded SVG files. The problem has been patched in Kirby 3.5.4. Please update to this or a later version to fix the vulnerability. Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use `File::create()`, you are protected by updating to 3.5.4+. As a work around you can disable the upload of SVG files in your file blueprints.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 3.5.4 | 3.5.4 |
| getkirby | kirby | < 3.5.4 | 3.5.4 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
osv·2021-04-30
CVE-2021-29460 [HIGH] Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
### Impact
An editor with write access to the Kirby Panel can upload an SVG or XML file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim.
This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.
Visitors without Panel access can only use this
GHSA
Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
ghsa·2021-04-30
CVE-2021-29460 [HIGH] CWE-79 Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
### Impact
An editor with write access to the Kirby Panel can upload an SVG or XML file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim.
This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.
Visitors without Panel access can only use this
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162359/Kirby-CMS-3.5.3.1-Cross-Site-Scripting.htmlhttps://github.com/getkirby/kirby/releases/tag/3.5.4https://github.com/getkirby/kirby/security/advisories/GHSA-qgp4-5qx6-548ghttp://packetstormsecurity.com/files/162359/Kirby-CMS-3.5.3.1-Cross-Site-Scripting.htmlhttps://github.com/getkirby/kirby/releases/tag/3.5.4https://github.com/getkirby/kirby/security/advisories/GHSA-qgp4-5qx6-548g
2021-04-27
Published