GHSA-qgp4-5qx6-548g · 深刻度: high · エコシステム: composer — Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `<script>` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. Visitors without Panel access can only use this attack vector if your site allows SVG file uploads in frontend forms and you don't already sanitize uploaded SVG files. The problem has been patched in Kirby 3.5.4. Please update to this or a later version to fix the vulnerability. Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use `File::create()`, you are protected by updating to 3.5.4+. As a work around you can disable the upload of SVG files in your file blueprints.
総合評価: CVE-2021-29460 は悪用リスクが高い(77.7/100)。CVSS 深刻度は高。悪用される可能性が高い(EPSS 3.17%、86 パーセンタイル) 根拠: 公開エクスプロイトが 3 件参照されています(Exploit-DB)。 直近 1 日で EPSS が +2.05% 上昇。悪用への関心が高まっている可能性があります。 推奨対応: 公開エクスプロイトが確認されています。影響範囲の確認、緩和策の適用、パッチ適用を優先してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
| EDB-ID | ソース | 種別 | 公開 | リンク |
|---|---|---|---|---|
| 49808 | exploit_db | edb | 2021-04-28 | Exploit-DB ↗ |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.12% | 3.17% | +2.05% |
| 2 | 2025-11-21 | 1.76% | 1.12% | -0.64% |
| 3 | 2025-11-18 | — | 1.76% | — |
EPSS の全履歴 (全 23 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 7.6 | 3.1 | HIGH |
|
2.3 | 4.7 | [email protected] |
| 5.4 | 3.1 | MEDIUM |
|
2.3 | 2.7 | [email protected] |
| 3.5 | 2.0 | LOW |
|
6.8 | 2.9 | [email protected] |
GHSA-qgp4-5qx6-548g · 深刻度: high · エコシステム: composer — Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
| URL | タグ |
|---|---|
| http://packetstormsecurity.com/files/162359/Kirby-CMS-3.5.3.1-Cross-Site-Scripting.html | Exploit Third Party Advisory VDB Entry |
| https://github.com/getkirby/kirby/releases/tag/3.5.4 | Release Notes Third Party Advisory |
| https://github.com/getkirby/kirby/security/advisories/GHSA-qgp4-5qx6-548g | Exploit Third Party Advisory |