Kirby vulnerable to field injection in the KirbyData text storage handler
CVE-2023-38488

7.1HIGH

Key Information:

Vendor

Getkirby

Status
Kirby
Vendor
CVE Published:
27 July 2023

What is CVE-2023-38488?

The vulnerability in Kirby allows attackers, particularly those with write access to the content system, to inject malicious content or alter site data. This occurs due to a flaw in how Kirby handles field separators when reading and writing content data. By exploiting this issue, attackers can potentially override important fields in content files, leading to unintended modifications or execution of malicious code. The issue has been patched in versions 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6, ensuring improved security against such manipulations.

Affected Version(s)

kirby < 3.5.8.3 < 3.5.8.3

kirby >= 3.6.0, < 3.6.6.3 < 3.6.0, 3.6.6.3

kirby >= 3.7.0, < 3.7.5.2 < 3.7.0, 3.7.5.2

References

https://github.com/getkirby/kirby/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/getkirby/kirby/commit/a1e0f81c799ddae1...
x_refsource_MISC
https://github.com/getkirby/kirby/releases/tag/3.5.8.3
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.