CVE-2021-32735
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks in Kirby CMS Panel's ListItem component. Authenticated Panel users can escalate privileges by exploiting admin sessions, while visitors without Panel access can attack through frontend forms. Kirby versions 3.5.5 and 3.5.6 are affected.
💻 Affected Systems
- Kirby CMS
📦 What is this software?
Kirby by Getkirby
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users achieve privilege escalation to admin level, gaining full control over the CMS and potentially the underlying server.
Likely Case
Authenticated users with Panel access execute XSS attacks to steal admin sessions or perform unauthorized actions.
If Mitigated
With proper input validation and sanitization, only authenticated Panel users could attempt exploitation with limited success.
🎯 Exploit Status
Exploitation requires authenticated Panel access or ability to submit data through vulnerable frontend forms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.7
Vendor Advisory: https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm
Restart Required: No
Instructions:
1. Backup your Kirby installation. 2. Update Kirby to version 3.5.7 or later via composer (composer update getkirby/cms) or manual download. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation/Sanitization
allValidate and sanitize all user input from frontend forms to prevent XSS payloads from reaching the Panel.
🧯 If You Can't Patch
- Implement strict input validation and sanitization on all frontend forms that accept user data.
- Restrict Panel access to trusted users only and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check Kirby version in composer.json or panel settings. If version is 3.5.5 or 3.5.6, system is vulnerable.Check Version:
Check composer.json for "getkirby/cms" version or view Panel settings.Verify Fix Applied:
Confirm Kirby version is 3.5.7 or later. Test that HTML in page titles is properly escaped in the Panel.📡 Detection & Monitoring
Log Indicators:
- Unusual Panel login patterns
- Multiple failed login attempts followed by successful admin access
- Suspicious form submissions containing HTML/script tags
Network Indicators:
- Unexpected JavaScript execution in Panel responses
- Suspicious POST requests to form endpoints with script payloads
SIEM Query:
Search for: (event_source="kirby_panel" AND (user_agent contains "script" OR request_body contains "<script>")) OR (event_source="web_form" AND (input contains "onerror=" OR input contains "javascript:"))