CVE-2024-26482 – getkirby/cms

Package

Manager: composer
Name: getkirby/cms
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVSS v4.0: N/A

EPSS: 0.00035 pctl0.08668

Details

Withdrawn Advisory: Kirby CMS HTML injection vulnerability ## Withdrawn Advisory This advisory has been withdrawn because the vendor reports that some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur. ## Original Advisory An HTML injection vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted payload.

Metadata

Created: 2024-02-22T06:30:33Z
Modified: 2024-08-30T14:42:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-qv4x-v2v4-f8p9/GHSA-qv4x-v2v4-f8p9.json
CWE IDs: ["CWE-80"]
Alternative ID: GHSA-qv4x-v2v4-f8p9
Finding: N/A
Auto approve: 0