Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJmMnctMzQ5eC12cnFt
Cross-site scripting (XSS) from field and configuration text displayed in the Panel
On Saturday, @hdodov reported that the Panel's ListItem
component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks.
We used his report as an opportunity to find and fix XSS issues related to dynamic site content throughout the Panel codebase.
Impact
Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.
Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.
Visitors without Panel access can only use this attack vector if your site allows changing site data from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.
Patches
Kirby 3.5.7 contains patches for the following issues we found during our investigation:
- Some translated error and info messages contain placeholders to dynamically insert information like page titles or filenames. While the translation strings are allowed to contain HTML formatting, the dynamic data needs to be protected against XSS attacks. Kirby 3.5.7 now escapes the dynamic data.
- Our
Box
component used to display information for the user supports HTML output for specific use-cases. We found out that the dialogs used in thefiles
,pages
andusers
fields as well as thefields
section used it to display raw exception or error messages. These messages are now escaped. - The users and settings views display user and language data using the
ListItem
component that supports HTML. We now escape the dynamic data before it is passed to theListItem
component. - Some of our sections and fields support HTML for their
text
,help
and/orinfo
properties. This allows custom formatting from the blueprint, but also caused the original issue reported to us that allowed to inject HTML code from the content itself. Kirby 3.5.7 now escapes the defaulttext
displayed by thefiles
andpages
sections (filename/page title), thefiles
,pages
andusers
fields (filename/page title/username) and by query-basedcheckboxes
,radio
,tags
andmultiselect
fields (default text depending on the used query).
Note: Custom text
, help
and info
queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJmMnctMzQ5eC12cnFt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Identifiers: GHSA-2f2w-349x-vrqm, CVE-2021-32735
References:
- https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm
- https://nvd.nist.gov/vuln/detail/CVE-2021-32735
- https://github.com/getkirby/kirby/releases/tag/3.5.7
- https://github.com/getkirby/kirby/commit/f5ead62f8510158bed5baf58ca0e851875778a09
- https://github.com/advisories/GHSA-2f2w-349x-vrqm
Blast Radius: 18.3
Affected Packages
packagist:getkirby/cms
Dependent packages: 199Dependent repositories: 378
Downloads: 308,153 total
Affected Version Ranges: <= 3.5.6
Fixed in: 3.5.7
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6
All unaffected versions: 3.5.7, 3.5.8, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.10.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.2.0