Name of the Vulnerable Software and Affected Versions Kirby versions prior to 3.5.8.1 Kirby versions prior to 3.6.6.1 Kirby versions prior to 3.7.4

Description Cross-site scripting (XSS) allows the execution of JavaScript code inside the Panel session of the same or other users. This vulnerability is critical if potential attackers are among authenticated Panel users, as they can escalate their privileges by accessing an admin user's Panel session. The issue arises from the Panel's HTML rendering of new or edited tags, as well as custom tags from the content file, in the tags and multiselect fields. This allows attackers with Panel access to store malicious HTML code in a tag, which is then rendered by the victim's browser. Self-inflicted XSS attacks are also possible in the tags field. Visitors without Panel access can only use this attack vector if the site allows changing the content of a tags or multiselect field from a frontend form.

Recommendations For Kirby versions prior to 3.5.8.1, update to version 3.5.8.1 or later. For Kirby versions prior to 3.6.6.1, update to version 3.6.6.1 or later. For Kirby versions prior to 3.7.4, update to version 3.7.4 or later. As a temporary workaround, consider disabling the tags and multiselect fields by uncommenting them from all blueprints.