CVE-2018-16630

Vulnerability

Kirby CMS version 2.5.12 is affected by a stored Cross-Site Scripting (XSS) vulnerability in the "site files" feature. The application fails to properly validate or sanitize uploaded SVG files, allowing an attacker to upload an SVG file containing malicious JavaScript or HTML code. The vulnerable component is the file upload handler used when adding site files via the administrative panel. [1] [2]

Exploitation

An attacker must have valid credentials to access the Kirby admin panel and be able to navigate to the site files section. By using the "Add" option to upload an SVG file, the attacker embeds a malicious script within the SVG. When other users (including administrators) view the site files page, the SVG is rendered and the script executes in their browser. The attack does not require any additional user interaction beyond viewing the uploaded file. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information. The attacker gains the same privileges as the victim user viewing the file, potentially leading to further compromise of the Kirby CMS installation. [1]

Mitigation

The official fix was released in Kirby 3.0, which is a major version update and is not a direct patch for v2.5.12. Users running Kirby v2.5.12 should upgrade to Kirby 3.0 or later. Alternatively, administrators can use a web server rule (e.g., .htaccess) to block direct access to SVG files uploaded in the media folder, or disable SVG file uploads by modifying the allowed file types configuration. The vendor has deprecated the v2 series, so no further patches for v2.5.12 are expected. [2]