A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field. NOTE: the vendor's position is that this issue did not affect any version of Kirby CMS. The only effect was on the trykirby.com demo site, which is not customer-controlled.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-02-22
Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-02-22
An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur.
CVSS Score
7.1
EPSS Score
0.0
Published
2024-02-22
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-02-22
Page 2