3 matches found
CVE-2026-42174
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the process for managing user avatars due to insufficient authorization checks. An attacker can gain unauthorized access to create, replace, or delete user avatars by leveraging file permissions without the...
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to update user information user.update or users.update permission is disabled. This can be due to configuration in the blueprints of the acting users, via options in the blueprints of the target...