Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVE-2024-26482

High

7.1/10

Summary

An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

References

POC/Exploit

Advisory Timeline

Published Feb 22, 2024

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVE-2024-26482

Summary

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS