CVE-2021-41258

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 3.5.8

Description The issue concerns Kirby's blocks field, which stores structured data for each block, and this data is used in block snippets to convert blocks to HTML for use in templates. The default snippet for the image block did not escape HTML special characters, making it possible to include malicious HTML code in the source, alt, and link fields of the image block. This code would then be displayed on the site frontend and executed in the browsers of site visitors and logged-in users. Attackers must be authenticated Panel users to exploit this weakness. The vulnerability allows for cross-site scripting (XSS) attacks, which can execute JavaScript code inside the site frontend or Panel session of other users.

Recommendations For versions prior to 3.5.8, update to Kirby version 3.5.8 or a later version to fix the vulnerability. As a temporary workaround, consider escaping HTML special characters in the output from the default image block snippet or using a custom block snippet that either escapes the printed values or doesn't use them. Restrict access to the blocks field, especially the image block, to minimize the risk of exploitation. Avoid using the source, alt, and link fields in the image block until the issue is resolved.