Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN813
_____________________________________________________________________

DATE                : 19/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kirby CMS versions prior
                                     to 5.1.4.

=====================================================================
https://github.com/getkirby/kirby/security/advisories/GHSA-84hf-8gh5-575j
_____________________________________________________________________

Cross-site scripting (XSS) in the changes dialog
Moderate
bastianallgeier published GHSA-84hf-8gh5-575j Nov 18, 2025

Package
getkirby/cms (Composer)

Affected versions
5.0.0-5.1.3

Patched versions
5.1.4


Description
TL;DR

This vulnerability affects all Kirby 5 sites that might have potential
attackers in the group of authenticated Panel users or that allow
external visitors to update page titles or usernames.

The attack requires user interaction by another Panel user and cannot
be automated.


Introduction

Cross-site scripting (XSS) is a type of vulnerability that allows to
execute any kind of JavaScript code inside the Panel session of the
same or other users. In the Panel, a harmful script can for example
trigger requests to Kirby's API with the permissions of the victim.

Such vulnerabilities are critical if you might have potential
attackers in your group of authenticated Panel users. They can
escalate their privileges if they get access to the Panel
session of an admin user. Depending on your site, other
JavaScript-powered attacks are possible.


Impact

The "Changes" dialog in the Panel displays all content models
(pages, files, users) with changed content, i.e. with content that
has not yet been published. Each changed model is listed with its
preview image/icon and its title/name.

Attackers could change the title of any page or the name of any
user to a malicious string. Then they could modify any content
field of the same model without saving, making the model a
candidate for display in the "Changes" dialog. If another
authenticated user subsequently opened the dialog in their Panel,
the malicious code would be executed.


Patches

The problem has been patched in Kirby 5.1.4. Please update to
this or a later version to fix the vulnerability.

In the patch release, we have added the required escaping code
to signal to the browser the intent of displaying plain text
instead of code in the places where the model titles are
rendered.


Severity
Moderate
5.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction Passive
Vulnerable System Impact Metrics
Confidentiality Low
Integrity Low
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2025-65012

Weaknesses
Weakness CWE-79 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================