CVE-2024-26481

Name of the Vulnerable Software and Affected Versions Kirby CMS version 4.1.0

Description A reflected self-XSS vulnerability was discovered in Kirby CMS via the URL parameter. This issue can be exploited when a user is tricked into executing malicious JavaScript code within their own context, often through social engineering techniques. The vulnerability is limited to self-XSS and cannot directly affect other users or visitors of the site. A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel.

Recommendations To resolve the issue, update to one of the following versions or a later version: Kirby 3.6.6.5, Kirby 3.7.5.4, Kirby 3.8.4.3, Kirby 3.9.8.1, Kirby 3.10.0.1, or Kirby 4.1.1. As a temporary workaround, consider avoiding the use of the URL field in any blueprint until a patch is available. Restrict access to the Panel to minimize the risk of exploitation. Avoid using the javascript: URL in the link target of the link button to prevent malicious code execution.