GHSA-qv4x-v2v4-f8p9

Source

https://github.com/advisories/GHSA-qv4x-v2v4-f8p9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-qv4x-v2v4-f8p9/GHSA-qv4x-v2v4-f8p9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qv4x-v2v4-f8p9

Withdrawn

2024-08-30T14:42:28Z

Published

2024-02-22T06:30:33Z

Modified

2024-08-30T14:57:47.888861Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

Withdrawn Advisory: Kirby CMS HTML injection vulnerability

Details

Withdrawn Advisory

This advisory has been withdrawn because the vendor reports that some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur.

Original Advisory

An HTML injection vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted payload.

Database specific

{
    "github_reviewed_at": "2024-02-26T22:15:36Z",
    "cwe_ids": [
        "CWE-80"
    ],
    "nvd_published_at": "2024-02-22T05:15:09Z",
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Packagist / getkirby/cms

Package

Name: getkirby/cms
Purl: pkg:composer/getkirby/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.1.0

Affected versions

3.*

3.0.0

3.0.1-rc.1

3.0.1

3.0.2-rc.1

3.0.2

3.0.3-rc.1

3.0.3-rc.2

3.0.3-rc.3

3.0.3

3.1.0-rc.1

3.1.0

3.1.1

3.1.2-rc.1

3.1.2

3.1.3-rc.1

3.1.3

3.1.4-rc.1

3.1.4

3.2.0-rc.1

3.2.0-rc.2

3.2.0-rc.3

3.2.0-rc.4

3.2.0

3.2.1-rc.1

3.2.1

3.2.2

3.2.3-rc.1

3.2.3

3.2.4-rc.1

3.2.4

3.2.5-rc.1

3.2.5-rc.2

3.2.5

3.3.0-rc.1

3.3.0-rc.2

3.3.0-rc.3

3.3.0-rc.4

3.3.0-rc.5

3.3.0

3.3.1-rc.1

3.3.1

3.3.2-rc.1

3.3.2

3.3.3-rc.1

3.3.3

3.3.4-rc.1

3.3.4

3.3.5-rc.1

3.3.5

3.3.6

3.4.0-rc.1

3.4.0-rc.2

3.4.0-rc.3

3.4.0

3.4.1-rc.1

3.4.1

3.4.2

3.4.3-rc.1

3.4.3

3.4.4-rc.1

3.4.4

3.4.5

3.5.0-rc.1

3.5.0-rc.2

3.5.0-rc.3

3.5.0-rc.4

3.5.0-rc.5

3.5.0-rc.6

3.5.0-rc.7

3.5.0

3.5.1-rc.1

3.5.1

3.5.2-rc.1

3.5.2

3.5.3

3.5.3.1

3.5.4

3.5.5-rc.1

3.5.5

3.5.6-rc.1

3.5.6

3.5.7-rc.1

3.5.7

3.5.7.1

3.5.8

3.5.8.1

3.5.8.2

3.5.8.3

3.5.8.4

3.6.0-alpha.1

3.6.0-alpha.2

3.6.0-alpha.3

3.6.0-alpha.4

3.6.0-beta.1

3.6.0-beta.2

3.6.0-beta.3

3.6.0-rc.1

3.6.0-rc.2

3.6.0-rc.3

3.6.0-rc.4

3.6.0-rc.5

3.6.0

3.6.1

3.6.1.1

3.6.2-rc.1

3.6.2-rc.2

3.6.2-rc.3

3.6.2

3.6.3-rc.1

3.6.3-rc.2

3.6.3

3.6.3.1

3.6.4-rc.1

3.6.4

3.6.5-rc.1

3.6.5

3.6.6-rc.1

3.6.6

3.6.6.1

3.6.6.2

3.6.6.3

3.6.6.4

3.6.6.5

3.6.6.6

3.7.0-rc.1

3.7.0-rc.2

3.7.0-rc.3

3.7.0

3.7.0.1

3.7.0.2

3.7.1-rc.1

3.7.1

3.7.2-rc.1

3.7.2

3.7.2.1

3.7.3-rc.1

3.7.3

3.7.4-rc.1

3.7.4

3.7.5

3.7.5.1

3.7.5.2

3.7.5.3

3.7.5.4

3.7.5.5

3.8.0-rc.1

3.8.0-rc.2

3.8.0-rc.3

3.8.0

3.8.1-rc.1

3.8.1

3.8.1.1

3.8.2-rc.1

3.8.2

3.8.3-rc.1

3.8.3-rc.2

3.8.3

3.8.4

3.8.4.1

3.8.4.2

3.8.4.3

3.8.4.4

3.9.0-rc.1

3.9.0-rc.2

3.9.0

3.9.1-rc.1

3.9.1

3.9.2-rc.1

3.9.2

3.9.3-rc.1

3.9.3

3.9.4-rc.1

3.9.4

3.9.5-rc.1

3.9.5

3.9.6-rc.1

3.9.6

3.9.6.1

3.9.7-rc.1

3.9.7

3.9.8-rc.1

3.9.8

3.9.8.1

3.9.8.2

3.10.0

3.10.0.1

3.10.1

3.10.1.1

4.*

4.0.0-alpha.1

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-alpha.5

4.0.0-alpha.6

4.0.0-alpha.7

4.0.0-beta.1

4.0.0-beta.2

4.0.0-beta.3

4.0.0-rc.1

4.0.0-rc.2

4.0.0-rc.3

4.0.0-rc.4

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0-rc.1

4.1.0-rc.2

4.1.0-rc.3

4.1.0