Lucene search

Veracode Vulnerability DatabaseVERACODE:41877

HistoryJul 31, 2023 - 6:19 a.m.

Cross-site Scripting (XSS)

2023-07-3106:19:08

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

getkirby/cms

cross-site scripting

file function

response.php

arbitrary script injection

mime auto-detection

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

55.9%

JSON

getkirby/cms is vulnerable to Cross-site Scripting (XSS). The vulnerability exists in the file function at Response.php due to the MIME auto-detection of uploaded files which allows an attacker to upload a file with an arbitrary MIME type and inject arbitrary scripts.

References

github.com/getkirby/kirby/commit/2f06ba1c026bc91cb0702bc16b7d505642536d15

github.com/getkirby/kirby/commit/3b19a2401e05a67be4e085970784ade8fb4989aa

github.com/getkirby/kirby/commit/68c6516fabe78f7ba5b61a22733f68070693435e

github.com/getkirby/kirby/commit/692228ec533e1aabbe19ba65d6aedf10366bf58a

github.com/getkirby/kirby/commit/a8152bf413824794e9f781a853c8c3706a6f18b5

github.com/getkirby/kirby/releases/tag/3.5.8.3

github.com/getkirby/kirby/releases/tag/3.6.6.3

github.com/getkirby/kirby/releases/tag/3.7.5.2

github.com/getkirby/kirby/releases/tag/3.8.4.1

github.com/getkirby/kirby/releases/tag/3.9.6

github.com/getkirby/kirby/security/advisories/GHSA-8fv7-wq38-f5c9

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

55.9%

JSON

Related for VERACODE:41877