Security Advisory: CVE-2017-16807 - Kirby CMS < 2.5.7 - Cross-Site Scripting
Severity Rating: High
Confirmed Affected Versions: 2.5.6
Confirmed Patched Versions: 2.5.7
Vendor URL: https://getkirby.com/
ExploitDB URL: https://www.exploit-db.com/exploits/43140/
KirbyCMS Advisory: https://getkirby.com/changelog/kirby-2-5-7
Kirby is a file‑based CMS. Easy to setup. Easy to use. Flexible as hell.
SUMMARY AND IMPACT
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
PROOF OF CONCEPT
There is no workaround except for updating to the latest version of KirbyCMS from here
Advisory Update: November 17, 2017