CVE-2024-27087: 
PHP vulnerability analysis and mitigation

CVE-2024-27087 affects Kirby, a content management system, specifically in versions 4.0.0 through 4.1.0. The vulnerability was discovered in the new link field feature introduced in Kirby 4, which allows different link types including a 'Custom' link type. The issue was disclosed on February 26, 2024, and has been patched in version 4.1.1 (GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The 'Custom' link type in the link field was designed to be flexible for advanced use cases, but this flexibility allowed the javascript: URL scheme, which could be exploited to execute arbitrary JavaScript code (GitHub Advisory, NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code when a user or visitor clicks on a link generated from the contents of the link field. In the Panel, malicious scripts can trigger requests to Kirby's API with the victim's permissions. This is particularly critical in environments with multiple authenticated Panel users, as attackers could potentially escalate their privileges if they gain access to an admin user's Panel session (GitHub Advisory).

The vulnerability has been patched in Kirby version 4.1.1, which updates the link field to hide the 'Custom' link type by default. Users are advised to update to this or a later version. Additionally, sites can be protected by limiting the acceptable link types with the options field property. For cases where the 'Custom' link type is needed, additional validation should be implemented (GitHub Advisory, Kirby Patch).

The vulnerability was responsibly disclosed by security researcher Natwara Archeepsamooth (@PlyNatwara), who identified the javascript: attack vector. The vendor has added warnings to their documentation regarding the use of the 'Custom' link type (GitHub Advisory).