Lucene search

GitHub Advisory DatabaseGHSA-3GQ5-R59M-MMV2

HistoryMay 14, 2022 - 1:31 a.m.

Kirby XSS Vulnerability

2022-05-1401:31:22

CWE-79

GitHub Advisory Database

github.com

kirby

xss

vulnerability

site files

upload

svg

software

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

Kirby v2.5.12 allows XSS by using the “site files” Add option to upload an SVG file.

Affected configurations

Vulners

Node

getkirbykirbyRange≤2.5.12

VendorProductVersionCPE
getkirbykirby*cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
getkirby	kirby	*	cpe:2.3:a:getkirby:kirby::::::::

References

github.com/advisories/GHSA-3gq5-r59m-mmv2

nvd.nist.gov/vuln/detail/CVE-2018-16630

web.archive.org/web/20201208015414/https://github.com/security-breachlock/CVE-2018-16630/blob/master/Kirby_Insecure%20file%20validation.pdf

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

Related for GHSA-3GQ5-R59M-MMV2