CVE-2022-36037: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getkirby kirby
kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. If bad actors gain access to your group of authenticated Panel users they can escalate their privileges via the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. The multiselect field allows selection of tags from an autocompleted list. Unfortunately, the Panel in Kirby 3.5 used HTML rendering for the raw option value. This allowed **attackers with influence on the options source** to store HTML code. The browser of the victim who visited a page with manipulated multiselect options in the Panel will then have rendered this malicious HTML code when the victim opened the autocomplete dropdown. Users are *not* affected by this vulnerability if you don't use the multiselect field or don't use it with options that can be manipulated by attackers. The problem has been patched in Kirby 3.5.8.1.
AI Analysis
Technical Summary
CVE-2022-36037 is a cross-site scripting (XSS) vulnerability affecting versions of the Kirby content management system (CMS) prior to 3.5.8.1. Kirby is a flexible CMS used to build custom interfaces for various web projects. The vulnerability arises from improper neutralization of input during web page generation, specifically within the Panel's multiselect field component. This field allows users to select tags from an autocompleted list. In affected versions, the Panel rendered the raw option values as HTML without proper sanitization, enabling attackers who can influence the source of these options to inject malicious HTML or JavaScript code. When an authenticated user opens the autocomplete dropdown in the Panel, the malicious code executes in their browser context. This can lead to execution of arbitrary JavaScript within the victim’s session, allowing attackers to perform actions with the victim’s permissions, such as making unauthorized API requests or escalating privileges if the victim is an admin user. The vulnerability requires that the attacker have some level of influence over the source of the multiselect options, which typically implies some form of authenticated or indirect access to the system or content that populates these options. Users who do not use the multiselect field or do not allow attacker-controlled input in the options are not affected. The issue was patched in Kirby version 3.5.8.1. There are no known exploits in the wild reported to date. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common XSS weakness. The attack vector is within the authenticated Panel interface, meaning exploitation requires at least some level of user authentication and interaction with the vulnerable UI component.
Potential Impact
For European organizations using Kirby CMS versions prior to 3.5.8.1, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative sessions within the CMS Panel. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of authenticated users, potentially leading to unauthorized API calls, privilege escalation, and manipulation of site content or configuration. This could disrupt content management workflows, compromise sensitive data managed through the CMS, or facilitate further attacks such as lateral movement or data exfiltration. The impact is especially significant for organizations relying on Kirby for critical web infrastructure or those with multiple authenticated users managing content collaboratively. However, since exploitation requires influence over the multiselect options source and authenticated access, the attack surface is somewhat limited. The vulnerability does not directly affect end-users of the public-facing website unless they have authenticated Panel access. Nonetheless, the risk to administrative users and the potential for privilege escalation make this a medium-severity threat. European organizations with sensitive or regulated data managed via Kirby CMS should consider the risk carefully, as compromise could lead to violations of data protection regulations such as GDPR if personal data is exposed or altered.
Mitigation Recommendations
1. Upgrade immediately to Kirby CMS version 3.5.8.1 or later, where the vulnerability has been patched. 2. Review and restrict access to the Panel interface to trusted users only, minimizing the number of users who can influence multiselect options. 3. Audit the sources of data populating multiselect fields to ensure they cannot be manipulated by untrusted or unauthenticated users. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the Panel context. 5. Monitor Panel user activity logs for unusual behavior indicative of exploitation attempts, such as unexpected API requests or privilege escalations. 6. Educate administrators and content managers about the risks of interacting with untrusted input in the CMS interface. 7. If upgrading is not immediately possible, consider disabling or avoiding use of the multiselect field with dynamic or user-influenced options until patched. 8. Conduct regular security assessments of the CMS environment to detect potential injection points and ensure input validation and output encoding best practices are followed.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Denmark, Finland, Austria, Switzerland
CVE-2022-36037: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getkirby kirby
Description
kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. If bad actors gain access to your group of authenticated Panel users they can escalate their privileges via the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. The multiselect field allows selection of tags from an autocompleted list. Unfortunately, the Panel in Kirby 3.5 used HTML rendering for the raw option value. This allowed **attackers with influence on the options source** to store HTML code. The browser of the victim who visited a page with manipulated multiselect options in the Panel will then have rendered this malicious HTML code when the victim opened the autocomplete dropdown. Users are *not* affected by this vulnerability if you don't use the multiselect field or don't use it with options that can be manipulated by attackers. The problem has been patched in Kirby 3.5.8.1.
AI-Powered Analysis
Technical Analysis
CVE-2022-36037 is a cross-site scripting (XSS) vulnerability affecting versions of the Kirby content management system (CMS) prior to 3.5.8.1. Kirby is a flexible CMS used to build custom interfaces for various web projects. The vulnerability arises from improper neutralization of input during web page generation, specifically within the Panel's multiselect field component. This field allows users to select tags from an autocompleted list. In affected versions, the Panel rendered the raw option values as HTML without proper sanitization, enabling attackers who can influence the source of these options to inject malicious HTML or JavaScript code. When an authenticated user opens the autocomplete dropdown in the Panel, the malicious code executes in their browser context. This can lead to execution of arbitrary JavaScript within the victim’s session, allowing attackers to perform actions with the victim’s permissions, such as making unauthorized API requests or escalating privileges if the victim is an admin user. The vulnerability requires that the attacker have some level of influence over the source of the multiselect options, which typically implies some form of authenticated or indirect access to the system or content that populates these options. Users who do not use the multiselect field or do not allow attacker-controlled input in the options are not affected. The issue was patched in Kirby version 3.5.8.1. There are no known exploits in the wild reported to date. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common XSS weakness. The attack vector is within the authenticated Panel interface, meaning exploitation requires at least some level of user authentication and interaction with the vulnerable UI component.
Potential Impact
For European organizations using Kirby CMS versions prior to 3.5.8.1, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative sessions within the CMS Panel. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of authenticated users, potentially leading to unauthorized API calls, privilege escalation, and manipulation of site content or configuration. This could disrupt content management workflows, compromise sensitive data managed through the CMS, or facilitate further attacks such as lateral movement or data exfiltration. The impact is especially significant for organizations relying on Kirby for critical web infrastructure or those with multiple authenticated users managing content collaboratively. However, since exploitation requires influence over the multiselect options source and authenticated access, the attack surface is somewhat limited. The vulnerability does not directly affect end-users of the public-facing website unless they have authenticated Panel access. Nonetheless, the risk to administrative users and the potential for privilege escalation make this a medium-severity threat. European organizations with sensitive or regulated data managed via Kirby CMS should consider the risk carefully, as compromise could lead to violations of data protection regulations such as GDPR if personal data is exposed or altered.
Mitigation Recommendations
1. Upgrade immediately to Kirby CMS version 3.5.8.1 or later, where the vulnerability has been patched. 2. Review and restrict access to the Panel interface to trusted users only, minimizing the number of users who can influence multiselect options. 3. Audit the sources of data populating multiselect fields to ensure they cannot be manipulated by untrusted or unauthenticated users. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the Panel context. 5. Monitor Panel user activity logs for unusual behavior indicative of exploitation attempts, such as unexpected API requests or privilege escalations. 6. Educate administrators and content managers about the risks of interacting with untrusted input in the CMS interface. 7. If upgrading is not immediately possible, consider disabling or avoiding use of the multiselect field with dynamic or user-influenced options until patched. 8. Conduct regular security assessments of the CMS environment to detect potential injection points and ensure input validation and output encoding best practices are followed.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-07-15T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9844c4522896dcbf3bd4
Added to database: 5/21/2025, 9:09:24 AM
Last enriched: 6/22/2025, 11:21:19 PM
Last updated: 8/11/2025, 10:50:14 AM
Views: 15
Related Threats
CVE-2025-9016: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8451: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets
MediumCVE-2025-8013: CWE-918 Server-Side Request Forgery (SSRF) in quttera Quttera Web Malware Scanner
LowCVE-2025-6679: CWE-434 Unrestricted Upload of File with Dangerous Type in bitpressadmin Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder
CriticalCVE-2025-9013: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.