Vulnerability DatabaseCVE-2023-38488

CVE-2023-38488:
PHP vulnerability analysis and mitigation

Overview

CVE-2023-38488 is a field injection vulnerability discovered in Kirby, a content management system, affecting versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. The vulnerability affects Kirby sites with authenticated Panel users or those allowing external visitors to update content files. The issue was discovered and reported in June 2023 and publicly disclosed on July 27, 2023 (GitHub Advisory).

Technical details

The vulnerability exists in the KirbyData text storage handler implementation where content is stored in text files using Kirby's KirbyData format. The vulnerability stems from the way the system handles Unicode BOM sequences in field separators. When reading a KirbyData file, the code first removed the Unicode BOM sequence from the file contents before splitting the content into fields. However, when writing, field separators containing a Unicode BOM sequence (e.g., --\xEF\xBB\xBF--) were not properly detected, allowing attackers to inject unauthorized field data. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH by NVD and 7.1 HIGH by GitHub (NVD).

Impact

The vulnerability allows attackers with content write access to overwrite content fields that were not intended to be modified. This can be exploited to alter site content, break site behavior, or inject malicious data or code. The vulnerability specifically affects fields in the content file that were defined above the vulnerable user-writable field or not defined at all (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in versions 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. The fix modifies the code to only remove the Unicode BOM sequence at the beginning of the file, addressing the vulnerability for both newly written and existing content files. Users are strongly advised to upgrade to one of these patched versions (GitHub Release).

Community reactions

The vulnerability was responsibly reported by Patrick Falb (@dapatrese) at FORMER 03. The vendor responded by releasing security patches across multiple version branches and providing detailed documentation about the vulnerability (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related PHP vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-898v-775g-777c	CRITICAL	9.4	PHP	neuron-core/neuron-ai	No	Yes	Dec 09, 2025
GHSA-5j8p-438x-rgg5	CRITICAL	9.3	PHP	onelogin/php-saml	No	Yes	Dec 09, 2025
GHSA-j8g6-5gqc-mq36	HIGH	8.2	PHP	neuron-core/neuron-ai	No	Yes	Dec 09, 2025
GHSA-pvcv-q3q7-266g	HIGH	8.1	PHP	filament/filament	No	Yes	Dec 09, 2025
GHSA-6w82-v552-wjw2	HIGH	7.1	PHP	shopware/shopware	No	Yes	Dec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2023-38488: PHP vulnerability analysis and mitigation