CVE-2024-26481

Vulnerability

Overview

CVE-2024-26481 describes a reflected self-XSS vulnerability in Kirby CMS v4.1.0, which also affects earlier versions. The issue resides in the URL field blueprint, where user-entered URLs are copied directly into the link target of a button without validation. When a user clicks the link icon with Ctrl+Click/Cmd+Click, a javascript: URL can execute arbitrary JavaScript in the user's own browser context. [1][2]

Exploitation

This is a self-XSS (reflected XSS) vulnerability requiring social engineering. An attacker must trick a Panel user into clicking a crafted link or pasting malicious code. The attack cannot be automated and requires knowledge of the content structure. The malicious JavaScript runs only in the victim's session, not affecting other users. [2]

Impact

Successful exploitation allows the attacker to execute JavaScript in the Panel session of the victim, potentially triggering API requests with the victim's permissions. This could lead to privilege escalation if the victim is an admin, or allow data theft and other malicious actions. [2]

Mitigation

The vulnerability has been patched in Kirby versions 3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, and 4.1.1. Users are advised to update to the latest patched release. No workarounds are mentioned, but avoiding clicking suspicious links in the Panel can reduce risk. [1][2]