CVE-2021-32735

CVE-2021-32735 is a high-severity security vulnerability in getkirby/cms (composer), affecting versions <= 3.5.6. It is fixed in 3.5.7.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Cross-site scripting (XSS) from field and configuration text displayed in the Panel

On Saturday, @hdodov reported that the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks.

We used his report as an opportunity to find and fix XSS issues related to dynamic site content throughout the Panel codebase.

Impact

Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.

Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

Visitors without Panel access can only use this attack vector if your site allows changing site data from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.

CVE-2021-32735 has a CVSS score of 7.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.5.7); upgrading removes the vulnerable code path.

Affected versions

getkirby/cms (<= 3.5.6)

Security releases

getkirby/cms → 3.5.7 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Kirby 3.5.7 contains patches for the following issues we found during our investigation:

  • Some translated error and info messages contain placeholders to dynamically insert information like page titles or filenames. While the translation strings are allowed to contain HTML formatting, the dynamic data needs to be protected against XSS attacks. Kirby 3.5.7 now escapes the dynamic data.
  • Our Box component used to display information for the user supports HTML output for specific use-cases. We found out that the dialogs used in the files, pages and users fields as well as the fields section used it to display raw exception or error messages. These messages are now escaped.
  • The users and settings views display user and language data using the ListItem component that supports HTML. We now escape the dynamic data before it is passed to the ListItem component.
  • Some of our sections and fields support HTML for their text, help and/or info properties. This allows custom formatting from the blueprint, but also caused the original issue reported to us that allowed to inject HTML code from the content itself. Kirby 3.5.7 now escapes the default text displayed by the files and pages sections (filename/page title), the files, pages and users fields (filename/page title/username) and by query-based checkboxes, radio, tags and multiselect fields (default text depending on the used query).

Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.

Frequently Asked Questions

  1. What is CVE-2021-32735? CVE-2021-32735 is a high-severity security vulnerability in getkirby/cms (composer), affecting versions <= 3.5.6. It is fixed in 3.5.7.
  2. How severe is CVE-2021-32735? CVE-2021-32735 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of getkirby/cms are affected by CVE-2021-32735? getkirby/cms (composer) versions <= 3.5.6 is affected.
  4. Is there a fix for CVE-2021-32735? Yes. CVE-2021-32735 is fixed in 3.5.7. Upgrade to this version or later.
  5. Is CVE-2021-32735 exploitable, and should I be worried? Whether CVE-2021-32735 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2021-32735 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2021-32735? Upgrade getkirby/cms to 3.5.7 or later.

Other vulnerabilities in getkirby/cms

Stop the waste.
Protect your environment with Kodem.