CVE-2022-36037

Name of the Vulnerable Software and Affected Versions Kirby versions 3.5 through 3.5.8.0

Description Cross-site scripting (XSS) allows execution of JavaScript code inside the Panel session of the same or other users. A harmful script can trigger requests to Kirby's API with the permissions of the victim. If attackers gain access to a group of authenticated Panel users, they can escalate their privileges via the Panel session of an admin user. The multiselect field allows selection of tags from an autocompleted list, and in Kirby 3.5, it used HTML rendering for the raw option value, allowing attackers to store HTML code. The browser of the victim who visited a page with manipulated multiselect options in the Panel will render this malicious HTML code when the victim opens the autocomplete dropdown.

Recommendations For Kirby versions 3.5 through 3.5.8.0, update to Kirby 3.5.8.1 or a later version to fix the vulnerability. As a temporary workaround, consider disabling the multiselect field by uncommenting it from all blueprints.