CVE-2023-38488

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 3.5.8.3 Kirby versions prior to 3.6.6.3 Kirby versions prior to 3.7.5.2 Kirby versions prior to 3.8.4.1 Kirby versions prior to 3.9.6

Description A field injection vulnerability in Kirby's content storage implementation allows attackers with content write access to overwrite content fields that the site developer didn't intend to be modified. This can be used to alter site content, break site behavior, or inject malicious data or code. The exact security risk depends on the field type and usage. Kirby stores content in text files using the KirbyData format, where each field is separated by newlines and a line with four dashes (----). The vulnerability can be exploited by including a Unicode BOM sequence in a field separator, which can be abused to inject other field data into content files.

Recommendations Update to Kirby version 3.5.8.3 or later to fix the vulnerability. Update to Kirby version 3.6.6.3 or later to fix the vulnerability. Update to Kirby version 3.7.5.2 or later to fix the vulnerability. Update to Kirby version 3.8.4.1 or later to fix the vulnerability. Update to Kirby version 3.9.6 or later to fix the vulnerability.