SCA: security update for getkirby/cms (GHSA-qgp4-5qx6-548g)

medium Tenable Self-Hosted Container Security Plugin ID 418127

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that
contains harmful content like `<script>` tags. The direct link to that file can be sent to other users or
visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the
script will run and can for example trigger requests to Kirby's API with the permissions of the victim.
This vulnerability is critical if you might have potential attackers in your group of authenticated Panel
users, as they can escalate their privileges if they get access to the Panel session of an admin user.
Depending on your site, other JavaScript-powered attacks are possible. Visitors without Panel access can
only use this attack vector if your site allows SVG file uploads in frontend forms and you don't already
sanitize uploaded SVG files. The problem has been patched in Kirby 3.5.4. Please update to this or a later
version to fix the vulnerability. Frontend upload forms need to be patched separately depending on how
they store the uploaded file(s). If you use `File::create()`, you are protected by updating to 3.5.4+. As
a work around you can disable the upload of SVG files in your file blueprints. (CVE-2021-29460)

See Also

https://github.com/advisories/GHSA-qgp4-5qx6-548g

Plugin Details

Severity: Medium

ID: 418127

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2021-29460

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/30/2021

Vulnerability Publication Date: 4/27/2021

Reference Information

CVE: CVE-2021-29460

cwe: CWE-79