Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type

TL;DR This vulnerability affects Kirby sites that use the new link field and output the entered link without additional validation or sanitization. The attack commonly requires user interaction by another user or visitor. The link dialog of the writer field is not affected as the writer field...

GHSA-63H4-W25C-3QV4 Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type

TL;DR This vulnerability affects Kirby sites that use the new link field and output the entered link without additional validation or sanitization. The attack commonly requires user interaction by another user or visitor. The link dialog of the writer field is not affected as the writer field...

Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field

TL;DR This vulnerability affects Kirby sites that use the URL field in any blueprint. A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack cannot be automated. The vulnerability is als...

PT-2022-28279 · Kirby · Kirby

Name of the Vulnerable Software and Affected Versions: Kirby versions prior to 3.5.8.1 Kirby versions prior to 3.6.6.1 Kirby versions prior to 3.7.4 Description: Cross-site scripting XSS allows the execution of JavaScript code inside the Panel session of the same or other users. This vulnerabilit...

CVE-2022-36037

kirby is a content management system CMS that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting XSS is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel,...

Cross site scripting

kirby is a content management system CMS that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting XSS is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel,...

CVE-2022-36037

CVE-2022-36037 describes a cross-site scripting (XSS) flaw in Kirby CMS related to the Panel’s multiselect field. The vulnerability arises because Kirby 3.5 used HTML rendering for the raw option value, allowing attackers who can influence the options source (e.g., content of sibling pages or an ...

CVE-2022-36037 Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby

kirby is a content management system CMS that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting XSS is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel,...

CVE-2022-36037 Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby

kirby is a content management system CMS that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting XSS is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel,...

GHSA-3F89-869F-5W76 Cross-site scripting from dynamic options in the multiselect field

Introduction Cross-site scripting XSS is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Such...

PT-2022-23133 · Kirby · Kirby

Name of the Vulnerable Software and Affected Versions: Kirby versions 3.5 through 3.5.8.0 Description: Cross-site scripting XSS allows execution of JavaScript code inside the Panel session of the same or other users. A harmful script can trigger requests to Kirby's API with the permissions of the...

GHSA-CQ58-R77C-5JJW Cross-site scripting (XSS) from image block content in the site frontend

Impact Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters against cross-site scripting XSS attacks. Cross-site scripting XSS is a type of...

Cross-site scripting (XSS) from image block content in the site frontend

Impact Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters against cross-site scripting XSS attacks. Cross-site scripting XSS is a type of...

Cross-site scripting (XSS) from writer field content in the site frontend

Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting XSS attacks, otherwise the formatting would be lost. Cross-site scripting XSS is a type of vulnerability that...

CVE-2019-13376

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS...

Extending Public-Private Partnerships with Milipol

By: Loïc Guézo At Trend Micro, we’ve been protecting consumers, SMBs, enterprises and government customers from the latest threats for three decades now. This has required us to build a global team of experienced researchers, state-of-the-art R&D labs and much more, to fuel our industry-leading...

CyberCentral Summit 2018 in Prague

Almost whole last week I spent in Prague at CyberCentral conference. It was a pretty unique experience for me. I was for the first time at the International conference as a speaker. And not only I presented my report there, but lead the round table on Vulnerability Management and participated in ...