CVE-2024-26481: 
PHP vulnerability analysis and mitigation

Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter. The vulnerability affects Kirby sites that use the URL field in any blueprint and was assigned CVE-2024-26481. The issue was discovered in February 2024 and has been patched in versions 3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, and 4.1.1 (GitHub Advisory).

The vulnerability exists in the URL field functionality where users can open entered links in new tabs by clicking the link icon inside the field. In affected versions, Kirby copied the entered URL into the link target without proper validation or sanitization. This could be exploited using javascript: URLs that would execute in the user's context when the link button was clicked with Ctrl+Click/Cmd+Click. The vulnerability has been assigned a CVSS v3.1 score of 4.2 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N (GitHub Advisory).

A successful attack requires knowledge of the content structure by the attacker as well as social engineering of a user with Panel access. The vulnerability is limited to self-XSS and cannot directly affect other users or visitors of the site. In the Panel, a harmful script could trigger requests to Kirby's API with the permissions of the victim (GitHub Advisory).

The vulnerability has been patched in multiple versions: Kirby 3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, and 4.1.1. Users should update to one of these or a later version to fix the vulnerability. In the patched versions, the URL field has been modified to only make the link button clickable if the entered URL is valid and safe (GitHub Advisory).

The vulnerability was responsibly reported by security researcher Natwara Archeepsamooth (@PlyNatwara). The vendor responded by releasing patches across multiple version lines to address the security issue (GitHub Advisory).