CVE-2021-41258
published 2021-11-16CVE-2021-41258: Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.78%
51.3th percentile
Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protect against cross-site scripting (XSS) attacks. The default snippet for the image block unfortunately did not use our escaping helper. This made it possible to include malicious HTML code in the source, alt and link fields of the image block, which would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. Attackers must be in your group of authenticated Panel users in order to exploit this weakness. Users who do not make use of the blocks field are not affected. This issue has been patched in Kirby version 3.5.8 by escaping special HTML characters in the output from the default image block snippet. Please update to this or a later version to fix the vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 3.5.0 < 3.5.8 | 3.5.8 |
| getkirby | kirby | — | — |
| getkirby | kirby | 3.5.0 – 3.5.7.1 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.02.1LOWAV:N/AC:H/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site scripting (XSS) from image block content in the site frontend
osv·2021-11-16
CVE-2021-41258 [MEDIUM] Cross-site scripting (XSS) from image block content in the site frontend
Cross-site scripting (XSS) from image block content in the site frontend
### Impact
Kirby's [blocks field](https://getkirby.com/docs/reference/panel/fields/blocks) stores structured data for each block. This data is then used in [block snippets](https://getkirby.com/docs/reference/panel/fields/blocks#block-snippets) to convert the blocks to HTML for use in your templates. We recommend to [escape HTML special characters](https://getkirby.com/docs/guide/templates/escaping) against cross-site scripting (XSS) attacks.
Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the site frontend or Panel session of other users. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the p
GHSA
Cross-site scripting (XSS) from image block content in the site frontend
ghsa·2021-11-16
CVE-2021-41258 [MEDIUM] CWE-79 Cross-site scripting (XSS) from image block content in the site frontend
Cross-site scripting (XSS) from image block content in the site frontend
### Impact
Kirby's [blocks field](https://getkirby.com/docs/reference/panel/fields/blocks) stores structured data for each block. This data is then used in [block snippets](https://getkirby.com/docs/reference/panel/fields/blocks#block-snippets) to convert the blocks to HTML for use in your templates. We recommend to [escape HTML special characters](https://getkirby.com/docs/guide/templates/escaping) against cross-site scripting (XSS) attacks.
Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the site frontend or Panel session of other users. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the p
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/getkirby/kirby/pull/3510https://github.com/getkirby/kirby/releases/tag/3.5.8https://github.com/getkirby/kirby/security/advisories/GHSA-cq58-r77c-5jjwhttps://github.com/getkirby/kirby/pull/3510https://github.com/getkirby/kirby/releases/tag/3.5.8https://github.com/getkirby/kirby/security/advisories/GHSA-cq58-r77c-5jjw
2021-11-16
Published