CVE-2021-41258: 
PHP vulnerability analysis and mitigation

Kirby, an open source file structured CMS, was affected by a cross-site scripting (XSS) vulnerability identified as CVE-2021-41258. The vulnerability was discovered in versions 3.5.0 through 3.5.7.1 and was patched in version 3.5.8, released on November 16, 2021. The issue affected Kirby's blocks field functionality, specifically in the default image block snippet, which stores structured data for each block (GitHub Advisory).

The vulnerability stemmed from the default snippet for the image block not utilizing the escaping helper for HTML special characters. This made it possible to inject malicious HTML code in the source, alt, and link fields of the image block. When this content was displayed on the site frontend, it would be executed in the browsers of site visitors and logged-in users. The vulnerability received a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allowed attackers to execute arbitrary JavaScript code in the site frontend or Panel session of other users. For logged-in users, malicious scripts could trigger requests to Kirby's API with the victim's permissions. This was particularly critical in environments where potential attackers had access to authenticated Panel users, as they could potentially escalate their privileges if they gained access to an admin user's Panel session (GitHub Advisory).

The vulnerability was patched in Kirby version 3.5.8 by implementing proper escaping of special HTML characters in the output from the default image block snippet. Users were advised to update to version 3.5.8 or later to fix the vulnerability (GitHub Release).