CVE-2017-16807 - Kirby CMS < 2.5.7 - Cross-Site Scripting
Security Advisory: CVE-2017-16807 - Kirby CMS < 2.5.7 - Cross-Site Scripting
OVERVIEW
Severity Rating: High
Confirmed Affected Versions: 2.5.6
Confirmed Patched Versions: 2.5.7
Vendor: KirbyCMS
Vendor URL: https://getkirby.com/
Vector: Remote
Status: Public
CVE: CVE-2017-16807
ExploitDB URL: https://www.exploit-db.com/exploits/43140/
KirbyCMS Advisory: https://getkirby.com/changelog/kirby-2-5-7
PRODUCT DESCRIPTION
Kirby is a file‑based CMS. Easy to setup. Easy to use. Flexible as hell.
SUMMARY AND IMPACT
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
In Kirby an Editor has the privilege to upload certain files to the website, however, he can also upload a Scalable Vector Graphics (SVG) files. During this research I found that we can execute JavaScript code via SVG files. Thanks to @brutelogic .
When an Administrator of the Kirby accesses and clicks on this malformed SVG file uploaded by the editor, the JavaScript code gets executed via the SVG file.
PROOF OF CONCEPT
https://www.youtube.com/watch?v=brgSJtj0Dpo
WORKAROUNDS
There is no workaround except for updating to the latest version of KirbyCMS from here
Advisory Update: November 17, 2017