Kirby is an open-source content management system. Kirby's Xml::value() method has special handling for <![CDATA[ ]]> blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through.

However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid CDATA block but also contained other structured data outside of the CDATA block. This structured data would then also be allowed to pass through, circumventing the value protection. The Xml::value() method is used in Xml::tag(), Xml::create() and in the Xml data handler (e.g. Data::encode($string, 'xml')).

Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible.

Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged CDATA passthrough if the entire string is made up of valid CDATA blocks and no structured data.

This protects all uses of the method against the described vulnerability.