CVE-2023-38490: 
PHP vulnerability analysis and mitigation

CVE-2023-38490 affects Kirby, a content management system, in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. The vulnerability only impacts Kirby sites that use the Xml data handler or the Xml::parse() method in site or plugin code. The vulnerability was discovered in July 2023 and was responsibly reported by Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 (GitHub Advisory).

The vulnerability is an XML External Entity (XXE) issue that occurs because Kirby's Xml::parse() method used PHP's LIBXML_NOENT constant, which enabled the processing of XML external entities during parsing operations. The Xml::parse() method is used in the Xml data handler (e.g. Data::decode($string, 'xml')). The vulnerability has a CVSS v3.1 base score of 6.8 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N (GitHub Advisory).

If exploited, this vulnerability could allow attackers to disclose internal or confidential data stored on the server through arbitrary file disclosure or perform network requests on behalf of the server through server-side request forgery (SSRF). This is particularly concerning when XML files are of external origin, such as those uploaded by users or retrieved from external URLs (GitHub Advisory).

The vulnerability has been patched in versions 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. The fix removes the LIBXML_NOENT constant as processing of external entities is considered out of scope of the parsing logic. Users are strongly recommended to update to one of these patched versions or later to protect against this vulnerability (GitHub Advisory, GitHub Release).