A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:getkirby:panel:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"fixed": "2.3.3"
},
{
"fixed": "2.3.3"
},
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
},
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
},
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.7"
},
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.7"
}
],
"vendor_product": "getkirby:panel",
"source": "CPE_RANGE"
}
]
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.3.3"
},
{
"introduced": "2.4.x"
},
{
"fixed": "2.4.2"
},
{
"introduced": "2.5.x"
},
{
"fixed": "2.5.7"
}
],
"source": "DESCRIPTION"
}