Kirby
Monthly
Authenticated users in Kirby CMS can bypass permission controls to create unauthorized pages, files, and users by injecting malicious blueprint configuration during model creation. Versions prior to 4.9.0 and 5.4.0 fail to sanitize the 'blueprint' property in creation requests, allowing attackers with low-privilege accounts to override developer-defined authorization policies by setting 'create' => true in dynamic options. Patches are available in Kirby 4.9.0 and 5.4.0, which implement filtering of blueprint properties during normalization.
Kirby CMS versions 5.0.0-5.2.1 fail to enforce permission checks in the content changes API, allowing authenticated users with restricted roles to modify site content despite having update permissions disabled. This affects only installations with custom permission configurations designed to prevent write access for specific user roles. A patch is available in version 5.2.2.
Kirby is an open-source content management system. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Kirby is an open-source content management system. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Kirby is an open-source content management system. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Kirby is an open-source content management system. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authenticated users in Kirby CMS can bypass permission controls to create unauthorized pages, files, and users by injecting malicious blueprint configuration during model creation. Versions prior to 4.9.0 and 5.4.0 fail to sanitize the 'blueprint' property in creation requests, allowing attackers with low-privilege accounts to override developer-defined authorization policies by setting 'create' => true in dynamic options. Patches are available in Kirby 4.9.0 and 5.4.0, which implement filtering of blueprint properties during normalization.
Kirby CMS versions 5.0.0-5.2.1 fail to enforce permission checks in the content changes API, allowing authenticated users with restricted roles to modify site content despite having update permissions disabled. This affects only installations with custom permission configurations designed to prevent write access for specific user roles. A patch is available in version 5.2.2.
Kirby is an open-source content management system. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Kirby is an open-source content management system. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Kirby is an open-source content management system. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Kirby is an open-source content management system. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.