Skip to main content

Kirby CVE-2021-32735

MEDIUM
Basic XSS (CWE-80)
2021-07-02 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 02, 2021 - 15:15 nvd
MEDIUM 5.4

DescriptionNVD

Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form.

AnalysisAI

Kirby is a content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-80. Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form. Affected products include: Getkirby Kirby.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Kirby

View all
CVE-2024-26483 HIGH POC
8.8 Feb 22

An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbit

CVE-2024-26482 HIGH POC
7.1 Feb 22

An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. Rated high severity (CVSS

CVE-2025-30159 MEDIUM POC
6.3 May 13

Kirby is an open-source content management system. Rated medium severity (CVSS 6.3), this vulnerability is remotely expl

CVE-2024-26484 MEDIUM POC
6.1 Feb 22

A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers

CVE-2018-16627 MEDIUM POC
6.1 Dec 20

panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. Rated medium severity (CVSS

CVE-2023-38490 CRITICAL
10.0 Jul 27

Kirby is a content management system. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, n

CVE-2021-29460 MEDIUM POC
5.4 Apr 27

Kirby is an open source CMS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack co

CVE-2018-16628 MEDIUM POC
5.4 Dec 04

panel/login in Kirby v2.5.12 allows XSS via a blog name. Rated medium severity (CVSS 5.4), this vulnerability is remotel

CVE-2020-26255 CRITICAL
9.1 Dec 08

Kirby is a CMS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. T

CVE-2023-38488 HIGH
8.8 Jul 27

Kirby is a content management system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at

CVE-2018-16630 MEDIUM POC
4.8 Dec 28

Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file. Rated medium severity (CVSS 4.8), t

CVE-2024-26481 MEDIUM POC
4.7 Feb 22

Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter. Rated medium severi

Share

CVE-2021-32735 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy