CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
70.0%
getkirby/cms is vulnerable to XML External Entity (XXE). The vulnerability exists due to a lack of data handler validation in the parse
function in Xml.php
, which allows an attacker to submit a malicious XML file, resulting in an arbitrary file being read on the target system. `
github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387
github.com/getkirby/kirby/commit/4b2c454039c27e87e7dbda4a52afdbc012e57efd
github.com/getkirby/kirby/commit/740cd10ceadda54f1947a2aa3b212d0a9187b6c4
github.com/getkirby/kirby/commit/b5bbcf6a033f51cc3ee5645f85df6afd6ef5e1cc
github.com/getkirby/kirby/commit/d9cba7b4c4213be887a09bda51fa8803a14c1bac
github.com/getkirby/kirby/releases/tag/3.5.8.3
github.com/getkirby/kirby/releases/tag/3.6.6.3
github.com/getkirby/kirby/releases/tag/3.7.5.2
github.com/getkirby/kirby/releases/tag/3.8.4.1
github.com/getkirby/kirby/releases/tag/3.9.6
github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp