SCA: security update for getkirby/cms (GHSA-8fv7-wq38-f5c9)

medium Tenable Self-Hosted Container Security Plugin ID 412636

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2,
3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of
authenticated Panel users or that allow external visitors to upload an arbitrary file to the content
folder. Kirby sites are not affected if they don't allow file uploads for untrusted users or visitors or
if the file extensions of uploaded files are limited to a fixed safe list. The attack requires user
interaction by another user or visitor and cannot be automated. An editor with write access to the Kirby
Panel could upload a file with an unknown file extension like `.xyz` that contains HTML code including
harmful content like `<script>` tags. The direct link to that file could be sent to other users or
visitors of the site. If the victim opened that link in a browser where they are logged in to Kirby and
the file had not been opened by anyone since the upload, Kirby would not be able to send the correct MIME
content type, instead falling back to `text/html`. The browser would then run the script, which could for
example trigger requests to Kirby's API with the permissions of the victim. The issue was caused by the
underlying `Kirby\Http\Response::file()` method, which didn't have an explicit fallback if the MIME type
could not be determined from the file extension. If you use this method in site or plugin code, these uses
may be affected by the same vulnerability. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3,
3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have fixed the affected
method to use a fallback MIME type of `text/plain` and set the `X-Content-Type-Options: nosniff` header if
the MIME type of the file is unknown. (CVE-2023-38491)

See Also

https://github.com/advisories/GHSA-8fv7-wq38-f5c9

Plugin Details

Severity: Medium

ID: 412636

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-38491

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/28/2023

Vulnerability Publication Date: 7/27/2023

Reference Information

CVE: CVE-2023-38491

cwe: CWE-79