CVE-2017-16807 - Kirby CMS < 2.5.7 - Cross-Site Scripting

Security Advisory: CVE-2017-16807 - Kirby CMS < 2.5.7 - Cross-Site Scripting

OVERVIEW

Severity Rating: High

Confirmed Affected Versions: 2.5.6

Confirmed Patched Versions: 2.5.7

Vendor: KirbyCMS

Vendor URL: https://getkirby.com/

Vector: Remote

Status: Public

CVE: CVE-2017-16807

ExploitDB URL: https://www.exploit-db.com/exploits/43140/

KirbyCMS Advisory: https://getkirby.com/changelog/kirby-2-5-7

PRODUCT DESCRIPTION

Kirby is a file‑based CMS. Easy to setup. Easy to use. Flexible as hell.

SUMMARY AND IMPACT

A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.

In Kirby an Editor has the privilege to upload certain files to the website, however, he can also upload a Scalable Vector Graphics (SVG) files. During this research I found that we can execute JavaScript code via SVG files. Thanks to @brutelogic .

When an Administrator of the Kirby accesses and clicks on this malformed SVG file uploaded by the editor, the JavaScript code gets executed via the SVG file.

PROOF OF CONCEPT
https://www.youtube.com/watch?v=brgSJtj0Dpo

WORKAROUNDS

There is no workaround except for updating to the latest version of KirbyCMS from here

Advisory Update: November 17, 2017