Login Sign Up

CVE-2021-41258

7.3 HIGH
Cross-Site Scripting

📋 TL;DR

This CVE describes a stored cross-site scripting (XSS) vulnerability in Kirby CMS's image block functionality. Authenticated attackers can inject malicious HTML into image source, alt, and link fields, which executes in visitors' browsers when viewing affected pages. Only Kirby installations using the blocks field with authenticated Panel users are vulnerable.

💻 Affected Systems

Products:
  • Kirby CMS
Versions: Versions before 3.5.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using the blocks field functionality. Sites not using blocks field are not vulnerable.

📦 What is this software?

Kirby by Getkirby

View all CVEs affecting Kirby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of users, potentially compromising admin accounts and site integrity.

🟠

Likely Case

Authenticated users with malicious intent could deface websites, steal visitor session data, or redirect users to phishing pages.

🟢

If Mitigated

With proper user access controls and input validation, impact is limited to authenticated users who bypass security measures.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated Panel user access. Attack vectors are well-documented in XSS attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.8

Vendor Advisory: https://github.com/getkirby/kirby/security/advisories/GHSA-cq58-r77c-5jjw

Restart Required: No

Instructions:

1. Backup your Kirby installation. 2. Update Kirby to version 3.5.8 or later via Composer: 'composer require getkirby/cms:^3.5.8'. 3. Clear cache if applicable. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Manual HTML escaping

all

Manually escape HTML special characters in custom image block snippets

Modify your image block snippet to use Kirby's escape helper: <?= $block->source()->escape('html') ?>

Disable blocks field

all

Temporarily disable or remove blocks field usage if not essential

Remove or comment out blocks field usage in blueprints and templates

🧯 If You Can't Patch

  • Implement strict access controls to limit Panel user permissions
  • Enable Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check Kirby version in composer.json or via Panel: version must be < 3.5.8 and using blocks field

Check Version:

php -r "require 'vendor/autoload.php'; echo Kirby\Cms\App::version();"

Verify Fix Applied:

Confirm Kirby version is 3.5.8 or later and test image block HTML output is properly escaped

📡 Detection & Monitoring

Log Indicators:

  • Unusual Panel user activity, multiple image block modifications
  • HTML/script tags in image field data

Network Indicators:

  • Unexpected outbound connections from site visitors
  • Suspicious redirect patterns

SIEM Query:

source="web_logs" AND (url_contains("image-block") OR message_contains("<script>"))

📊 Metadata

CVE ID: CVE-2021-41258
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-79
Published: November 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41258, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)