CVE-2025-65012 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Kirby content management system (CMS) versions 5.0.0 to 5.1.3. The vulnerability arises from improper neutralization of input during web page generation, specifically in the handling of page titles and usernames. An attacker with authenticated access to the Kirby Panel can modify the title of any page or the name of any user to include malicious JavaScript code. Subsequently, by modifying any content field of the same model without saving, the model becomes flagged for display in the 'Changes' dialog. When another authenticated user opens this dialog, the malicious script executes in their browser context. This attack vector requires at least two authenticated users: one to inject the payload and another to trigger execution by viewing the dialog. The vulnerability does not require elevated privileges beyond authenticated Panel access, but it does require user interaction, limiting automation potential. The flaw affects all Kirby 5 sites that allow authenticated users to update page titles or usernames or permit external visitors to do so. The vulnerability was addressed and patched in Kirby version 5.1.4. No known exploits are currently reported in the wild. The CVSS 4.0 base score is 5.1, reflecting medium severity, with network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. The impact primarily concerns confidentiality and integrity, as malicious scripts could steal session tokens, perform actions on behalf of users, or deface content within the CMS Panel environment.

For European organizations using Kirby CMS versions 5.0.0 to 5.1.3, this vulnerability poses a risk of unauthorized script execution within the administrative Panel interface. This could lead to session hijacking, unauthorized actions, or data manipulation by attackers with authenticated access. The impact is particularly significant for organizations with multiple Panel users or those allowing external users to update page titles or usernames, as it increases the attack surface. Confidentiality of sensitive administrative data and integrity of content management processes could be compromised. While the vulnerability does not directly affect availability, successful exploitation could facilitate further attacks or unauthorized changes that disrupt normal operations. Given the reliance on CMS platforms for web presence and content management, exploitation could damage reputation and trust. European organizations in sectors with strict data protection regulations (e.g., GDPR) must consider the risk of data leakage or unauthorized access resulting from this vulnerability. The requirement for user interaction and authentication limits large-scale automated exploitation but does not eliminate targeted attacks within organizations.

1. Upgrade all Kirby CMS installations to version 5.1.4 or later immediately to apply the official patch addressing CVE-2025-65012. 2. Restrict permissions within the Kirby Panel to limit who can modify page titles and usernames, ideally to trusted administrators only. 3. Implement strict input validation and sanitization on user-modifiable fields, even beyond the vendor patch, to reduce risk of injection. 4. Monitor Panel user activity logs for unusual changes to page titles or usernames that could indicate attempted exploitation. 5. Educate Panel users about the risk of opening the 'Changes' dialog when suspicious modifications are present. 6. Consider deploying Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting script execution sources. 7. Regularly audit and review user roles and access controls to minimize the number of users with modification privileges. 8. If external visitors can update page titles or usernames, implement additional verification or moderation workflows to prevent malicious input. 9. Employ web application firewalls (WAFs) with rules targeting XSS payload patterns in CMS administrative interfaces. 10. Conduct periodic security assessments and penetration testing focused on CMS components to detect similar vulnerabilities proactively.