SCA: security update for getkirby/cms (GHSA-x7j7-qp7j-hw3q)

medium Tenable Self-Hosted Container Security Plugin ID 420358

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content
as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against
cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to
the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the
victim. Because the writer field did not securely sanitize its contents on save, it was possible to inject
malicious HTML code into the content file by sending it to Kirby's API directly without using the Panel.
This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site
visitors and logged in users who are browsing the site. Attackers must be in your group of authenticated
Panel users in order to exploit this weakness. Users who do not make use of the writer field are not
affected. This issue has been patched in Kirby 3.5.8 by sanitizing all writer field contents on the
backend whenever the content is modified via Kirby's API. Please update to this or a later version to fix
the vulnerability. (CVE-2021-41252)

See Also

https://github.com/advisories/GHSA-x7j7-qp7j-hw3q

Plugin Details

Severity: Medium

ID: 420358

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2021-41252

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/16/2021

Vulnerability Publication Date: 11/16/2021

Reference Information

CVE: CVE-2021-41252

cwe: CWE-79