CVE-2021-41252

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 3.5.8

Description The issue concerns the writer field in Kirby, which stores formatted content as HTML code and does not escape HTML special characters against cross-site scripting (XSS) attacks. This allows malicious HTML code to be injected into the content file and executed in the browsers of site visitors and logged-in users. The vulnerability can be exploited by attackers who are in the group of authenticated Panel users, potentially leading to escalated privileges if they gain access to an admin user's Panel session. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 3.5.8, update to Kirby 3.5.8 or a later version to fix the vulnerability. As a temporary workaround, consider restricting access to the writer field for authenticated Panel users to minimize the risk of exploitation. If possible, avoid using the writer field until the issue is resolved.