Kirby Server-Side Template Injection Vulnerability via Untrusted Option Fields

A server-side template injection vulnerability has been identified in Kirby, an open-source content management system, in versions prior to 4.9.0 and 5.4.0. This vulnerability arises in sites using option fields such as checkboxes, color, multiselect, select, radio, tags, or toggles, with options sourced from untrusted queries or APIs. The issue allows authenticated attackers to inject malicious templates that could be executed in the Kirby Panel, potentially accessing or altering protected site information. The vulnerability is exacerbated by double resolution of dynamic option values, which could lead to unauthorized access or actions, especially if exploited by a user with higher permissions.

Impact

Exploitation of this vulnerability allows for server-side template injection, where injected user input is executed as a template command. This could lead to remote code execution on the server, access to protected site information, unauthorized alterations of site content, or disruption of normal site behavior.

Remediation

Users are advised to update to Kirby versions 4.9.0 or 5.4.0. Instructions for updating Kirby via Composer are available in the Kirby 5.4.0 release notes.