CVE-2023-38490

CVE-2023-38490 is a medium-severity XML external entity injection (XXE) vulnerability in getkirby/cms (composer), affecting versions < 3.5.8.3. It is fixed in 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

XML External Entity (XXE) vulnerability in the XML data handler

TL;DR

This vulnerability only affects Kirby sites that use the Xml data handler (e.g. Data::decode($string, 'xml')) or the Xml::parse() method in site or plugin code. The Kirby core does not use any of the affected methods.

If you use an affected method and cannot rule out XML input controlled by an attacker, we strongly recommend to update to a patch release.

Introduction

XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF).

Credits

Thanks to Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issue.

Impact

Kirby's Xml::parse() method used PHP's LIBXML_NOENT constant, which enabled the processing of XML external entities during the parsing operation.

The Xml::parse() method is used in the Xml data handler (e.g. Data::decode($string, 'xml')).

Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process.

Kirby sites that don't use XML parsing in site or plugin code are not affected.

An XML parser processes external entity references in untrusted input, causing the server to fetch internal resources or remote URLs. Typical impact: local file disclosure, server-side request forgery, or denial of service.

CVE-2023-38490 has a CVSS score of 6.8 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6); upgrading removes the vulnerable code path.

Affected versions

getkirby/cms (< 3.5.8.3) getkirby/cms (>= 3.6.0, < 3.6.6.3) getkirby/cms (>= 3.7.0, < 3.7.5.2) getkirby/cms (>= 3.8.0, < 3.8.4.1) getkirby/cms (>= 3.9.0, < 3.9.6)

Security releases

getkirby/cms → 3.5.8.3 (composer) getkirby/cms → 3.6.6.3 (composer) getkirby/cms → 3.7.5.2 (composer) getkirby/cms → 3.8.4.1 (composer) getkirby/cms → 3.9.6 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The problem has been patched in Kirby 3.5.8.3, Kirby 3.6.6.3, Kirby 3.7.5.2, Kirby 3.8.4.1 and Kirby 3.9.6. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have removed the LIBXML_NOENT constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.

Frequently Asked Questions

  1. What is CVE-2023-38490? CVE-2023-38490 is a medium-severity XML external entity injection (XXE) vulnerability in getkirby/cms (composer), affecting versions < 3.5.8.3. It is fixed in 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6. An XML parser processes external entity references in untrusted input, causing the server to fetch internal resources or remote URLs.
  2. How severe is CVE-2023-38490? CVE-2023-38490 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of getkirby/cms are affected by CVE-2023-38490? getkirby/cms (composer) versions < 3.5.8.3 is affected.
  4. Is there a fix for CVE-2023-38490? Yes. CVE-2023-38490 is fixed in 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6. Upgrade to this version or later.
  5. Is CVE-2023-38490 exploitable, and should I be worried? Whether CVE-2023-38490 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2023-38490 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2023-38490?
    • Upgrade getkirby/cms to 3.5.8.3 or later
    • Upgrade getkirby/cms to 3.6.6.3 or later
    • Upgrade getkirby/cms to 3.7.5.2 or later
    • Upgrade getkirby/cms to 3.8.4.1 or later
    • Upgrade getkirby/cms to 3.9.6 or later

Other vulnerabilities in getkirby/cms

Stop the waste.
Protect your environment with Kodem.