### TL;DR

This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder.

Your Kirby sites are *not* affected if they don’t allow file uploads for untrusted users or visitors or if the file extensions of uploaded files are limited to a fixed safe list.

The attack requires user interaction by another user or visitor and *cannot* be automated.

—-

### Introduction

Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby’s API with the permissions of the victim.

Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

### Impact

An editor with write access to the Kirby Panel could upload a file with an unknown file extension like `.xyz` that contains HTML code including harmful content like `Read More