CVE intelligence and bounded remediation

CVE-2023-38491 — Kirby is a content management system

Medium CVSS 5.7

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder. Kirby sites are not affected if they don't allow file uploads for untrusted users or visitors or if the file extensions of uploaded files are limited to a fixed safe list. The attack requires user interaction by another user or visitor and cannot be automated. An editor with write access to the Kirby Panel could upload a file with an unknown file extension like `.xyz` that contains HTML code including harmful content like `<script>` tags. The direct link to that file could be sent to other users or visitors of the site. If the victim opened that link in a browser where they are logged in to Kirby and the file had not been opened by anyone since the upload, Kirby would not be able to send the correct MIME content type, instead falling back to `text/html`. The browser would then run the script, which could for example trigger requests to Kirby's API with the permissions of the victi…

Severity
Medium
CVSS
5.7 (3.1)
Published
2023-07-27
CISA KEV
Not currently listed
Ecosystem
software/application
Weaknesses
CWE-79

Affected products

  • getkirby / kirby

Showing 1 representative product identities from 5 source matches. Confirm exact affected versions with the linked vendor and NVD evidence.

Matched remediation archetype

Cross-site scripting and unsafe browser output

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Trace reflected, stored, and DOM-derived untrusted values into HTML, attributes, URLs, styles, scripts, and client-side template sinks.
  • Identify affected origins, authenticated user roles, sensitive browser capabilities, and where content is shared across tenants.
  • Review framework escaping, rich-text sanitization, legacy templates, and client-side rendering paths.

Remediate safely

  • Use context-aware framework output encoding and safe DOM APIs; keep untrusted data out of executable contexts.
  • Sanitize intentionally supported markup with a maintained allowlist policy and validate URLs and attributes separately.
  • Update affected rendering components and add tests for every output context using inert sentinel markup.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.