They can escalate their privileges if they get access to the Panel session of an admin user. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users.
This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.īecause the writer field did not securely sanitize its contents on save, it was possible to inject malicious HTML code into the content file by sending it to Kirby's API directly without using the Panel. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost.Ĭross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the site frontend or Panel session of other users. Kirby's writer field stores its formatted content as HTML code. Severity: medium (CVSS score 5.4) Writer field Impact This security release fixes two cross-site scripting (XSS) vulnerabilities from writer field and image block content printed in the site frontend. Replaced true/punycode with symfony/polyfill-intl-idn dependency #3988.Don't pass null to native functions that actually don't accept null but a specific type (string, int.).Upgraded claviska/simpleimage dependency #3989.Use null coalescing assignment operator in PHP #3885.Use Prettier for consistent JS formatting #3812.Switched to Optional chaining operator on Frontend #3908.Use strip_tags with array of tags #3884.Fixed prop type check for number text in the button component #4000.
Area dropdowns can now be created with a simple closure instead of defining a full route (as already advertised) #3970:.Fixed script-src warning when setting a CSP header with our nonce #3986.The empty writer field no longer contains paragraph #3943.Fixed passing null as second parameter which is deprecated since PHP 8.0 #3975.Str methods handle an empty $needle string #3459.route:before and route:after hooks only get called for core routing calls #3951.Panel::go() and other exceptions are supported in the panel.route:before hook #3964.Item dropdown icon doesn't overlap downdown itself anymore #3966.after renaming) doesn't throw an error #3962 Converting blocks from non-existing type (e.g.Fixed non-standard MIME type "application/force-download" header in Response::download() #3956.
System view: Renamed the "SSL" status to "HTTPS" for clarity: #3960.Added Toolkit\Html::$inlineList with array of tags that are allowed in inline context #3884.New system.exception hook that can be used to log an error or exception in a log file or via a service like Sentry #3952.