CVE-2018-14520 An issue was discovered in Kirby 2.5.12

This can be done by sending a link in an email, posting a message on Facebook, or even through an instant message. All of these channels are vulnerable to attack. Once the page is added, it can display any type of content.
If your page is about a topic that might interest someone, it is possible that they will click on it and be redirected to a different site. This can pose a major security risk.

Other issues that were found in this version of the software include:

Kirby 2.5.12 is no longer supported and should be upgraded to a newer version. Users who are unable to upgrade to a new version should consider uninstalling the software.

Protect your network with a good VPN

The way a VPN protects your network is by encrypting it, which means that no one can see what you're doing online. Most importantly, this includes your internet service provider (ISP). This means that the ISP cannot know what websites you are visiting and sell your data to the highest bidder.
There are many reasons why a VPN is important for businesses:
* Encryption prevents data theft
* It prevents hackers from stealing information.
* It creates an anonymous IP address so no one knows what you're up to online.
A good VPN also helps people who run their own business to remain secure in case they get hacked. They also help companies protect their networks in case they're compromised by outside sources.
A good VPN is necessary for enterprise-level business and especially if you have a lot of employees using the network or want to protect yourself against outside threats.

Exploit

# Exploit Title:​​ Kirby CMS 2.5.12 - Cross-Site Scripting
# Date: 2018-07-22
# Exploit Author: Zaran Shaikh
# Version: ​2.5.12
# CVE :  ​NA
# Category: ​Web Application

# Description
# The application allows user injected payload which can lead to Stored
# Cross Site Scripting.

# Proof of Concept
# 1. Visit the application as low priv user
# 2. Go to add page option
# 3. Under title, enter any XSS payload like:

<script>alert("XSS");</script>

# 4. Upon the payload being injected, the subsequent page is triggered
# with XSS

Timeline

Published on: 08/24/2022 20:15:00 UTC
Last modified on: 08/29/2022 02:41:00 UTC

References

• https://www.exploit-db.com/exploits/45068
• http://zaranshaikh.blogspot.com/2018/07/cross-site-request-forgery-kirby-cms.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14520