CVE-2023-38491

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Jul 27, 2023
Updated: Aug 3, 2023
CWE ID 79

Summary

CVE-2023-38491 is a vulnerability that affects the Kirby content management system. Versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 are affected, and it impacts all Kirby sites that allow potential attackers in the group of authenticated Panel users or allow external visitors to upload arbitrary files to the content folder. However, sites that do not allow file uploads for untrusted users or visitors or have limited file extensions for uploaded files are not affected by this vulnerability. The attack requires user interaction and cannot be automated. The vulnerability allows an editor with write access to the Kirby Panel to upload a file with an unknown extension that contains harmful HTML code, such as `<script>` tags, which can then be shared with other users or visitors of the site via a direct link. If a victim opens this link on a browser where they are logged in to Kirby and the file hasn't been opened by anyone since the upload, Kirby would be unable to stop the execution of harmful content. Organizations using affected versions of Kirby should update to version 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4..1., or 3..9..6 as soon as possible in order to remediate this vulnerability and prevent potential attacks exploiting it. The potential danger posed by this vulnerability lies in the possibility of an attacker uploading malicious files containing harmful HTML code that can be executed when opened by unsuspecting users or visitors who are logged in on their browsers within the Kirby system

Leverage our Vulnerability Intelligence module to secure your systems now - get detailed insights on CVE-2024-37364. Book your demo today.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-38491 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options