Kirby CMS, Server-Side Template Injection, High

Listen to this Post

How the mentioned CVE works:

This SSTI vulnerability in Kirby CMS arises from unsafe double-resolution of dynamic option values used in fields like checkboxes, select, tags, etc. When a blueprint defines options from a query or API (dynamic sources), Kirby first resolves a trusted query to fetch raw data (e.g., page s, external API responses). In affected versions, the resulting string values are then passed through the query parser a second time. An attacker who can inject malicious template syntax into those data sources – for example, by controlling a page or an external API field – can embed payloads like `{{ users.first.password }}` or {{ page.delete }}. When a Panel user (including the attacker themselves or a higher-privileged user) loads the field, the payload executes. This allows reading sensitive data, modifying content, or performing unauthorized actions. The attack requires authenticated Panel access, but any authenticated user can trigger it. The double-resolution flaw exists in Kirby’s `OptionsApi` and `OptionsQuery` classes. Static options defined directly in blueprints are safe because they are resolved only once. The vulnerability affects Kirby 4.x before 4.9.0 and 5.x before 5.4.0.

dailycve form:

Platform: Kirby CMS
Version: ≤4.8.0 and ≤5.3.0
Vulnerability: SSTI double resolution
Severity: High
date: April 2024

Prediction: Already patched (2024-04)

What Undercode Say:

Check Kirby version in composer.lock
grep '"name": "getkirby/cms"' composer.lock -A 2 | grep version
Find blueprints using dynamic options (query or API)
grep -r "options:" site/blueprints/ | grep -E "query:|api:"
Simulate vulnerable option source (example page payload)
curl -X POST https://kirby-site/api/pages/evil -d '={{ users.first.password }}'
Detect SSTI with blind payload
curl 'https://kirby-site/panel/pages/home?field=options' -H 'Cookie: panel=...' --data '{{ "test"|trim }}'

how Exploit:

1. Gain low-privileged Panel authentication (any user).

  1. Find an option field (select, tags, etc.) configured with dynamic source (query/api).
  2. Insert SSTI payload into the source data – e.g., create a page d `{{ site.users.first.password }}` or compromise external API response.
  3. Trigger the field rendering by accessing the Panel view (e.g., page edit form).
  4. Payload executes on server, returning sensitive data or performing writes like {{ page.delete }}.
  5. Escalate by luring a higher-privileged user to view the same field.

Protection from this CVE:

  • Upgrade to Kirby 4.9.0 or 5.4.0+ immediately.
  • If patching impossible, avoid dynamic options (use static lists) or sanitize all external data before use.
  • Disable Panel access for untrusted users.
  • Review existing blueprints; replace `options: query` or `options: api` with static arrays.
  • Apply input validation on any data that feeds into option values.

Impact:

Remote code execution via SSTI leading to full site compromise. Attackers can read database credentials, extract user passwords, delete pages, modify content, or gain admin privileges. The vulnerability also enables persistent backdoors if malicious templates are stored in reusable fields, affecting all viewers of the manipulated Panel view.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top