Overview
CVE-2025-65012 details a Cross-Site Scripting (XSS) vulnerability found in Kirby CMS, an open-source content management system. This vulnerability affects versions 5.0.0 through 5.1.3. An attacker could exploit this flaw to inject malicious code into the Kirby Panel, potentially compromising the accounts of other authenticated users.
The attack requires user interaction from a separate Panel user to trigger the malicious code. This vulnerability is addressed in Kirby version 5.1.4.
Technical Details
The vulnerability stems from insufficient input sanitization when handling page titles and user names within the Kirby CMS Panel. An attacker with Panel access could change the title of any page or the name of any user to include a malicious JavaScript payload. After making the changes to title or name, attacker can modify any content field of the same model without saving. It ensures the model becomes a candidate for display in the “Changes” dialog.
Subsequently, when another authenticated user opens the “Changes” dialog in the Panel, the injected JavaScript code is executed within their browser session. This allows the attacker to perform actions on behalf of the victim user, potentially leading to account takeover, data theft, or further system compromise.
The key requirement for exploitation is that the attacker and the victim must both be authenticated users within the Kirby Panel. External visitors who are only able to update page titles or usernames through front end form could also be part of attacker pool.
CVSS Analysis
While a CVSS score is currently unavailable (N/A), this vulnerability should be considered a security risk. The lack of a CVSS score doesn’t diminish the potential impact. The severity is currently marked as N/A.
Factors influencing the severity include:
- Attack Vector: Requires authenticated access to the Kirby Panel.
- Attack Complexity: Relatively low; requires the ability to modify page titles or usernames.
- User Interaction: Requires interaction from another authenticated Panel user.
- Impact: Could lead to account compromise and data breaches.
Possible Impact
Successful exploitation of CVE-2025-65012 can have significant consequences:
- Account Takeover: An attacker could gain control of administrator or editor accounts.
- Data Theft: Sensitive data stored within the Kirby CMS could be accessed and stolen.
- Website Defacement: The attacker could modify website content, potentially defacing the site.
- Malware Distribution: The attacker could inject malicious code to distribute malware to website visitors.
Mitigation and Patch Steps
The recommended mitigation is to update your Kirby CMS installation to version 5.1.4 or later. This version includes a patch that addresses the XSS vulnerability.
- Backup Your Website: Before updating, create a full backup of your Kirby CMS installation, including the database and all files.
- Update Kirby CMS: Follow the official Kirby CMS update instructions to upgrade to version 5.1.4 or later.
- Verify the Update: After the update, verify that the vulnerability has been resolved.
