CVE-2024-26481
published 2024-02-22CVE-2024-26481: Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.
PriorityP419medium4.7CVSS 3.1
AVNACHPRNUIRSCCLILAN
EPSS
0.40%
32.3th percentile
Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 3.6.6.5 | 3.6.6.5 |
| getkirby | cms | >= 3.10.0 < 3.10.0.1 | 3.10.0.1 |
| getkirby | cms | >= 3.7.0 < 3.7.5.4 | 3.7.5.4 |
| getkirby | cms | >= 3.8.0 < 3.8.4.3 | 3.8.4.3 |
| getkirby | cms | >= 3.9.0 < 3.9.8.1 | 3.9.8.1 |
| getkirby | cms | >= 4.0.0 < 4.1.1 | 4.1.1 |
| getkirby | kirby | < 3.6.6.5 | 3.6.6.5 |
| getkirby | kirby | — | — |
| getkirby | kirby | >= 3.7.0 < 3.7.5.4 | 3.7.5.4 |
| getkirby | kirby | >= 3.8.0 < 3.8.4.3 | 3.8.4.3 |
| getkirby | kirby | >= 3.9.0 < 3.9.8.1 | 3.9.8.1 |
| getkirby | kirby | 4.0.0 – 4.1.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
osv·2024-02-26
CVE-2024-26481 [MEDIUM] Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
### TL;DR
This vulnerability affects Kirby sites that use the [URL field](https://getkirby.com/docs/reference/panel/fields/url) in any blueprint.
A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated.
The vulnerability is also limited to self-XSS and *cannot* directly affect other users or visitors of the site.
----
### Introduction
Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the perm
GHSA
Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
ghsa·2024-02-26
CVE-2024-26481 [MEDIUM] CWE-79 Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
### TL;DR
This vulnerability affects Kirby sites that use the [URL field](https://getkirby.com/docs/reference/panel/fields/url) in any blueprint.
A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated.
The vulnerability is also limited to self-XSS and *cannot* directly affect other users or visitors of the site.
----
### Introduction
Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the perm
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/getkirby/kirby/security/advisories/GHSA-57f2-8p89-66x6https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Self-Cross-Site-Scripting-d877183d20af49f8a8f58554bc06d51c?pvs=4https://github.com/getkirby/kirby/security/advisories/GHSA-57f2-8p89-66x6https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Self-Cross-Site-Scripting-d877183d20af49f8a8f58554bc06d51c?pvs=4
2024-02-22
Published