CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
16.7%
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don’t call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions.
Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby’s frontend or backend code.
A permission for updating existing languages has not existed before the patched versions. So disabling the languages.*
wildcard permission for a role could not have prohibited updates to existing language definitions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions.
The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage, for example:
languages
option was enabled but no language exists, creating the first language will switch Kirby to multi-language mode.Depending on the site code, the result of such actions can cause loss of site availability (e.g. error messages in the site frontend) or integrity (due to changed URLs or removed translations).
The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability.
In all of the mentioned releases, we have added checks for the languages.create
and languages.delete
permissions that ensure that users without those permissions cannot perform the respective actions. We have also added a new languages.update
permission.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
github.com/getkirby/kirby
github.com/getkirby/kirby/commit/1dbc9215c97a5c22dc7f34a4e3a64d19e1eac151
github.com/getkirby/kirby/commit/38636655b054e820f66c3b717c55a9d60fe6400a
github.com/getkirby/kirby/commit/83fce501759782cf843b6f1d9293a7c7167e69af
github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23
github.com/getkirby/kirby/commit/af9b0a58dea63effab85525ae217faa1f5ded423
github.com/getkirby/kirby/commit/e647a177c75636ef4824662b2ce00d8e5c3a8406
github.com/getkirby/kirby/releases/tag/3.10.1.1
github.com/getkirby/kirby/releases/tag/3.6.6.6
github.com/getkirby/kirby/releases/tag/3.7.5.5
github.com/getkirby/kirby/releases/tag/3.8.4.4
github.com/getkirby/kirby/releases/tag/3.9.8.2
github.com/getkirby/kirby/releases/tag/4.3.1
github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh
nvd.nist.gov/vuln/detail/CVE-2024-41964