A vulnerability has been found in Kirby Panel up to 2.3.2/2.4.1/2.5.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Content File Handler. The manipulation as part of a SVG Document leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. The summary by CVE is:

A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.

The bug was discovered 11/13/2017. The weakness was disclosed 11/13/2017 (Website). It is possible to read the advisory at getkirby.com. This vulnerability is known as CVE-2017-16807 since 11/13/2017. The attack can be launched remotely. The successful exploitation needs a single authentication. It demands that the victim is doing some kind of user interaction. Technical details are unknown but a public exploit is available. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.

It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept.

Upgrading to version 2.3.3, 2.4.2 or 2.5.7 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (43140).

Productinfo

Name

• Kirby Panel

Version

• 2.3.0
• 2.3.1
• 2.3.2
• 2.4.0
• 2.4.1
• 2.5.0
• 2.5.1
• 2.5.2
• 2.5.3
• 2.5.4
• 2.5.5
• 2.5.6

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion