CVE-2021-29460

Name of the Vulnerable Software and Affected Versions: Kirby versions prior to 3.5.4

Description: The issue allows an editor with write access to the Kirby Panel to upload an SVG or XML file containing harmful content like <script> tags. If a victim opens the link to the file in a browser where they are logged in to Kirby, the script can run and trigger requests to Kirby's API with the victim's permissions. This can lead to privilege escalation if an attacker gains access to an admin user's Panel session. Visitors without Panel access can exploit this if the site allows SVG or XML file uploads in frontend forms without validation or sanitization.

Recommendations: To resolve the issue, update to Kirby 3.5.4 or a later version. For frontend upload forms, ensure they are patched separately based on how they store uploaded files. If using File::create(), updating to Kirby 3.5.4+ provides protection. As a temporary workaround, consider disabling the upload of SVG and XML files in file blueprints until a patch is applied. After updating, run the provided validator script to check for existing harmful files and review any listed errors for manual fixing.