Packagist (Composer) package
getkirby/cms
pkg:composer/getkirby/cms
Vulnerabilities (35)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-38490 | — | < 3.5.8.3 | 3.5.8.3 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby c | ||
| CVE-2023-38489 | — | < 3.5.8.3 | 3.5.8.3 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a d | ||
| CVE-2023-38488 | — | < 3.5.8.3 | 3.5.8.3 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content | ||
| CVE-2022-39315 | — | < 3.5.8.2 | 3.5.8.2 | Oct 25, 2022 | Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because | ||
| CVE-2022-39314 | — | >= 3.5.0, < 3.5.8.2 | 3.5.8.2 | Oct 24, 2022 | Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth met | ||
| CVE-2022-36037 | — | < 3.5.8.1 | 3.5.8.1 | Aug 29, 2022 | kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other | ||
| CVE-2018-14519 | — | <= 2.5.12 | — | Aug 24, 2022 | An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page. | ||
| CVE-2018-14520 | — | <= 2.5.12 | — | Aug 24, 2022 | An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages. | ||
| CVE-2021-41258 | — | >= 3.5.0, < 3.5.8 | 3.5.8 | Nov 16, 2021 | Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protec | ||
| CVE-2021-41252 | — | >= 3.5.0, < 3.5.8 | 3.5.8 | Nov 16, 2021 | Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be | ||
| CVE-2021-32735 | — | < 3.5.7 | 3.5.7 | Jul 2, 2021 | Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticat | ||
| CVE-2021-29460 | — | < 3.5.4 | 3.5.4 | Apr 27, 2021 | Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where | ||
| CVE-2020-26255 | — | >= 3.0.0, < 3.4.5 | 3.4.5 | Dec 8, 2020 | Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers i | ||
| CVE-2020-26253 | — | >= 3.0.0, < 3.3.6 | 3.3.6 | Dec 8, 2020 | Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin a | ||
| CVE-2017-16807 | Med | 5.4 | < 2.3.3 | 2.3.3 | Nov 13, 2017 | A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file. |
- CVE-2023-38490Jul 27, 2023affected < 3.5.8.3fixed 3.5.8.3
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby c
- CVE-2023-38489Jul 27, 2023affected < 3.5.8.3fixed 3.5.8.3
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a d
- CVE-2023-38488Jul 27, 2023affected < 3.5.8.3fixed 3.5.8.3
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content
- CVE-2022-39315Oct 25, 2022affected < 3.5.8.2fixed 3.5.8.2
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because
- CVE-2022-39314Oct 24, 2022affected >= 3.5.0, < 3.5.8.2fixed 3.5.8.2
Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth met
- CVE-2022-36037Aug 29, 2022affected < 3.5.8.1fixed 3.5.8.1
kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other
- CVE-2018-14519Aug 24, 2022affected <= 2.5.12
An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
- CVE-2018-14520Aug 24, 2022affected <= 2.5.12
An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.
- CVE-2021-41258Nov 16, 2021affected >= 3.5.0, < 3.5.8fixed 3.5.8
Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protec
- CVE-2021-41252Nov 16, 2021affected >= 3.5.0, < 3.5.8fixed 3.5.8
Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be
- CVE-2021-32735Jul 2, 2021affected < 3.5.7fixed 3.5.7
Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticat
- CVE-2021-29460Apr 27, 2021affected < 3.5.4fixed 3.5.4
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where
- CVE-2020-26255Dec 8, 2020affected >= 3.0.0, < 3.4.5fixed 3.4.5
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers i
- CVE-2020-26253Dec 8, 2020affected >= 3.0.0, < 3.3.6fixed 3.3.6
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin a
- affected < 2.3.3fixed 2.3.3
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
Page 2 of 2