Kirby XML Injection Vulnerability in the XML Creator Toolkit

A vulnerability allowing XML injection has been identified in Kirby, an open-source content management system. This issue arises in versions of Kirby through 4.8.0 and 5.0.0-5.3.3, specifically within the 'Xml' data handling methods. The vulnerability exploits the 'Xml::value()' method's handling of 'CDATA' blocks, allowing structured data to bypass validation and potentially manipulate the behavior of systems that parse the generated XML. The issue is not present in the Kirby core but may affect sites or plugins that use these XML methods with untrusted input.

Impact

Exploitation of this vulnerability allows for XML injection, where an attacker can manipulate the XML output by injecting special characters. This could lead to unintended actions in systems that process the XML, based on the injected data's malicious meaning.

Remediation

Users are advised to update to Kirby versions 4.9.0 or 5.4.0, both of which include patches for this vulnerability. Instructions for downloading these versions are available on the Kirby GitHub releases page.