Kirby Content Management System Cross-Site Scripting Vulnerability in Changes Dialog

A cross-site scripting vulnerability has been identified in Kirby, an open-source content management system, affecting versions 5.0.0 prior to 5.1.3. This vulnerability allows attackers to execute malicious JavaScript in the Panel session of users. The issue arises from the ability to change page titles or usernames to include harmful scripts, which could then be executed when another authenticated user views the 'Changes' dialog in the Panel. The vulnerability requires user interaction and cannot be automated, making it a concern for sites with potential attackers among authenticated Panel users or those allowing external visitors to modify page titles or usernames.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where malicious scripts are executed in the context of the user's Panel session. This could lead to unauthorized API requests with the victim's permissions, and in cases where an admin's session is compromised, could allow for privilege escalation.

Remediation

Users are advised to update Kirby to version 5.1.4 or later, where this vulnerability has been patched. The update includes necessary code changes to properly escape model titles, preventing the execution of malicious scripts.