Vulnerability-Lookup

CNVD-2021-95256

Vulnerability from cnvd - Published: 2021-12-08

Title

Kirby跨站脚本漏洞（CNVD-2021-95256）

Description

Kirby是一套基于文件的内容管理系统（CMS）。 Kirby存在跨站脚本漏洞，该漏洞源于产品未对输入数据做有效验证，攻击者可利用该漏洞执行客户端代码。

Severity

低

Patch Name

Kirby跨站脚本漏洞（CNVD-2021-95256）的补丁

Patch Description

Kirby是一套基于文件的内容管理系统（CMS）。 Kirby存在跨站脚本漏洞，该漏洞源于产品未对输入数据做有效验证，攻击者可利用该漏洞执行客户端代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-41252

Impacted products

Name
Kirby Kirby <3.5.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41252"
    }
  },
  "description": "Kirby\u662f\u4e00\u5957\u57fa\u4e8e\u6587\u4ef6\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\n\nKirby\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u672a\u5bf9\u8f93\u5165\u6570\u636e\u505a\u6709\u6548\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-95256",
  "openTime": "2021-12-08",
  "patchDescription": "Kirby\u662f\u4e00\u5957\u57fa\u4e8e\u6587\u4ef6\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\r\n\r\nKirby\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u672a\u5bf9\u8f93\u5165\u6570\u636e\u505a\u6709\u6548\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Kirby\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-95256\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Kirby Kirby \u003c3.5.8"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41252",
  "serverity": "\u4f4e",
  "submitTime": "2021-11-17",
  "title": "Kirby\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-95256\uff09"
}

CVE-2021-41252 (GCVE-0-2021-41252)

Vulnerability from cvelistv5 – Published: 2021-11-16 18:05 – Updated: 2024-08-04 03:08

Title

Cross-site scripting (XSS) from writer field content in the site frontend

Summary

Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Because the writer field did not securely sanitize its contents on save, it was possible to inject malicious HTML code into the content file by sending it to Kirby's API directly without using the Panel. This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. Attackers must be in your group of authenticated Panel users in order to exploit this weakness. Users who do not make use of the writer field are not affected. This issue has been patched in Kirby 3.5.8 by sanitizing all writer field contents on the backend whenever the content is modified via Kirby's API. Please update to this or a later version to fix the vulnerability.

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/getkirby/kirby/security/adviso…	x_refsource_CONFIRM
	https://github.com/getkirby/kirby/commit/25fc5c6b…	x_refsource_MISC
	https://github.com/getkirby/kirby/releases/tag/3.5.8	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	getkirby	kirby	Affected: >= 3.5.0, < 3.5.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.511Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/getkirby/kirby/commit/25fc5c6b330442e6433c99befc688f3698c5d1fc"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kirby",
          "vendor": "getkirby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.5.0, \u003c 3.5.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kirby is an open source file structured CMS ### Impact Kirby\u0027s writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby\u0027s API with the permissions of the victim. Because the writer field did not securely sanitize its contents on save, it was possible to inject malicious HTML code into the content file by sending it to Kirby\u0027s API directly without using the Panel. This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. Attackers must be in your group of authenticated Panel users in order to exploit this weakness. Users who do not make use of the writer field are not affected. This issue has been patched in Kirby 3.5.8 by sanitizing all writer field contents on the backend whenever the content is modified via Kirby\u0027s API. Please update to this or a later version to fix the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-16T18:05:10",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/commit/25fc5c6b330442e6433c99befc688f3698c5d1fc"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8"
        }
      ],
      "source": {
        "advisory": "GHSA-x7j7-qp7j-hw3q",
        "discovery": "UNKNOWN"
      },
      "title": "Cross-site scripting (XSS) from writer field content in the site frontend",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41252",
          "STATE": "PUBLIC",
          "TITLE": "Cross-site scripting (XSS) from writer field content in the site frontend"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kirby",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 3.5.0, \u003c 3.5.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "getkirby"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Kirby is an open source file structured CMS ### Impact Kirby\u0027s writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby\u0027s API with the permissions of the victim. Because the writer field did not securely sanitize its contents on save, it was possible to inject malicious HTML code into the content file by sending it to Kirby\u0027s API directly without using the Panel. This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. Attackers must be in your group of authenticated Panel users in order to exploit this weakness. Users who do not make use of the writer field are not affected. This issue has been patched in Kirby 3.5.8 by sanitizing all writer field contents on the backend whenever the content is modified via Kirby\u0027s API. Please update to this or a later version to fix the vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q",
              "refsource": "CONFIRM",
              "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q"
            },
            {
              "name": "https://github.com/getkirby/kirby/commit/25fc5c6b330442e6433c99befc688f3698c5d1fc",
              "refsource": "MISC",
              "url": "https://github.com/getkirby/kirby/commit/25fc5c6b330442e6433c99befc688f3698c5d1fc"
            },
            {
              "name": "https://github.com/getkirby/kirby/releases/tag/3.5.8",
              "refsource": "MISC",
              "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-x7j7-qp7j-hw3q",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41252",
    "datePublished": "2021-11-16T18:05:10",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.511Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-95256

CVE-2021-41252 (GCVE-0-2021-41252)

Tags

Sightings

Nomenclature