3.6.6.5
🚨 Security release
This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:
- Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
- Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
- Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)
Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.
Updated docs on the Markdown safe mode
During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.
The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript:
links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The documentation on the safe mode contained a wrong code example that used an invalid safeMode
option instead of the correct safe
option. This has now been corrected. If you already use the safe mode, please check your code.
➡️ Read more