Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2021-29460

Disclosure Date: April 27, 2021 •

CVE-2021-29460 CVSS v3 Base Score: 5.4

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like <script> tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby’s API with the permissions of the victim. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. Visitors without Panel access can only use this attack vector if your site allows SVG file uploads in frontend forms and you don’t already sanitize uploaded SVG files. The problem has been patched in Kirby 3.5.4. Please update to this or a later version to fix the vulnerability. Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use File::create(), you are protected by updating to 3.5.4+. As a work around you can disable the upload of SVG files in your file blueprints.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.4 Medium

Impact Score:

2.7

Exploitability Score:

2.3

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

References

Canonical

CVE-2021-29460 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29460)

Advisory

https://github.com/getkirby/kirby/security/advisories/GHSA-qgp4-5qx6-548g

Miscellaneous

https://github.com/getkirby/kirby/releases/tag/3.5.4

http://packetstormsecurity.com/files/162359/Kirby-CMS-3.5.3.1-Cross-Site-Scripting.html

Rapid7

Unknown

CVE-2021-29460

Unknown

Unknown

Required

Low

Network

CVE-2021-29460

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2021-29460

Unknown

Unknown

Required

Low

Network

CVE-2021-29460

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification