CVE-2025-65012
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in Kirby CMS where attackers with Panel access can inject malicious code into page titles or usernames. When another authenticated user views the 'Changes' dialog, the malicious code executes in their browser context. It affects Kirby 5 sites with untrusted authenticated users or external visitors who can modify titles/usernames.
💻 Affected Systems
- Kirby CMS
📦 What is this software?
Kirby by Getkirby
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal session cookies, perform actions as the victim user, or redirect to malicious sites, potentially leading to account takeover or administrative compromise.
Likely Case
Attackers with Panel access could perform limited XSS attacks against other authenticated users, potentially stealing session data or performing unauthorized actions.
If Mitigated
With proper user access controls and input validation, impact is limited to authenticated users viewing the Changes dialog.
🎯 Exploit Status
Requires authenticated Panel access and victim user interaction with Changes dialog. Cannot be automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.4
Vendor Advisory: https://github.com/getkirby/kirby/security/advisories/GHSA-84hf-8gh5-575j
Restart Required: No
Instructions:
1. Backup your Kirby installation. 2. Update Kirby to version 5.1.4 via Composer: 'composer require getkirby/cms:^5.1.4'. 3. Clear cache if applicable. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict Panel Access
allLimit Panel access to trusted users only and implement strict user role permissions.
Disable External Title/Username Updates
allPrevent external visitors or untrusted users from modifying page titles or usernames.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Monitor and audit user activity for suspicious title/username modifications
🔍 How to Verify
Check if Vulnerable:
Check Kirby version in composer.json or via Panel dashboard. If version is between 5.0.0 and 5.1.3 inclusive, system is vulnerable.Check Version:
Check composer.json for 'getkirby/cms' version or run 'composer show getkirby/cms'Verify Fix Applied:
Verify Kirby version is 5.1.4 or higher. Test that malicious strings in titles/usernames are properly sanitized in Changes dialog.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to page titles or usernames
- Multiple failed authentication attempts to Panel
Network Indicators:
- Unexpected outbound connections from Panel users' browsers
SIEM Query:
Look for 'title' or 'username' field modifications followed by Changes dialog access events