CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
55.9%
getkirby/cms is vulnerable to Cross-site Scripting (XSS). The vulnerability exists in the file
function at Response.php
due to the MIME auto-detection of uploaded files which allows an attacker to upload a file with an arbitrary MIME type and inject arbitrary scripts.
github.com/getkirby/kirby/commit/2f06ba1c026bc91cb0702bc16b7d505642536d15
github.com/getkirby/kirby/commit/3b19a2401e05a67be4e085970784ade8fb4989aa
github.com/getkirby/kirby/commit/68c6516fabe78f7ba5b61a22733f68070693435e
github.com/getkirby/kirby/commit/692228ec533e1aabbe19ba65d6aedf10366bf58a
github.com/getkirby/kirby/commit/a8152bf413824794e9f781a853c8c3706a6f18b5
github.com/getkirby/kirby/releases/tag/3.5.8.3
github.com/getkirby/kirby/releases/tag/3.6.6.3
github.com/getkirby/kirby/releases/tag/3.7.5.2
github.com/getkirby/kirby/releases/tag/3.8.4.1
github.com/getkirby/kirby/releases/tag/3.9.6
github.com/getkirby/kirby/security/advisories/GHSA-8fv7-wq38-f5c9