Advisories for Composer/Getkirby/Cms package

Kirby's user permissions control which user role is allowed to perform specific actions in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/…). The permissions control the authorization of user actions (with handling of model-specific authorization omitted here for brevity). Kirby provides the access.system permission (among others) that controls access to the system area of the Kirby Panel. This area contains internal system information like …

Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/…). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/…) using the options feature. The permissions and options together control the authorization of user actions. In affected releases, Kirby …

Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/…). It is also possible to customize the permissions for each target model using the options feature (for user models again in the user blueprints). The permissions and options together control the authorization of user actions. Kirby provides the user.update …

Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/…). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/…) using the options feature. The permissions and options together control the authorization of user actions. Kirby provides the pages.access, …

Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/…). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/…) using the options feature. The permissions and options together control the authorization of user actions. Kirby provides the pages.create, …

Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/…). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/…) using the options feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides …

Kirby's Xml::value() method has special handling for <![CDATA[ ]]> blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However it was possible to trick this check into allowing values that only contained a valid CDATA block but also contained other structured data outside of the CDATA block. This structured data would then also be allowed to pass through, …

Kirby provides field types (checkboxes, color, multiselect, select, radio, tags and toggles) that offer a fixed set of options from a configured list. This configured list can be statically defined in the blueprint or it can come from a Kirby query or (external) API source. Options coming from a query or API are treated as dynamic. Static options can contain queries in the form {{ query }} or {< query …

Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a persistent Denial of Service (DoS) via a malformed image upload.

The missing permission checks allowed attackers with Panel access to create or discard a changes version or update the content fields in an existing changes version. All of these actions could affect arbitrary models. This could cause the following impact: Attackers could maliciously create changes versions for all models of the site, creating editing locks that would prevent other authenticated users from making content changes until those locks were cleared. …

The "Changes" dialog in the Panel displays all content models (pages, files, users) with changed content, i.e. with content that has not yet been published. Each changed model is listed with its preview image/icon and its title/name. Attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the …

The missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic collection names, such as collection('tags-' . get('tags')). It generally also …

The missing path traversal check allowed attackers to navigate all files on the server that were accessible to the PHP process, including files outside of the Kirby installation. The vulnerable implementation delegated all existing files to PHP, including existing files outside of the document root. This leads to a different response that allows attackers to determine whether the requested file exists. Because Kirby's router only delegates such requests to PHP …

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage, for example: If the languages option was enabled but no language exists, creating the first language will switch Kirby to multi-language mode. Deleting an existing language will lead to content loss of all translated content …

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. The attack requires user interaction by another user or visitor and cannot be automated. Introduction Unrestricted upload of files with a dangerous type is a type of vulnerability that allows to circumvent expectations and protections in the server setup or backend code. Uploaded files are not checked for their compliance with …

TL;DR This vulnerability affects Kirby sites that use the URL field in any blueprint. A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack cannot be automated. The vulnerability is also limited to self-XSS and cannot directly affect other users or visitors of the site. Introduction Cross-site scripting (XSS) is a type …

TL;DR This vulnerability affects Kirby sites that use the new link field and output the entered link without additional validation or sanitization. The attack commonly requires user interaction by another user or visitor. The link dialog of the writer field is not affected as the writer field content is automatically sanitized by the Kirby backend code. You are also already protected if you limit the acceptable link types with the …

An HTML injection vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted payload.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xrvh-rvc4-5m43. This link is maintained to preserve external references. Original Description An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-57f2-8p89-66x6. This link is maintained to preserve external references. Original Description Kirby CMS v4.1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the URL parameter.

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to …

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content file (e.g. via a contact or comment form). Kirby sites are not affected if they don't allow write access for untrusted users or visitors. A field …

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the Xml data handler (e.g. Data::decode($string, 'xml')) or the Xml::parse() method in site or plugin code. The Kirby core does not use any of the affected methods. XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data …

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder. Kirby sites are not affected if they don't allow file uploads for untrusted users or visitors or if the file extensions of …

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities. Kirby's authentication endpoint does not limit the password …

Under normal circumstances, entering an invalid email address results in a "fake" login code form that looks exactly like the one of an existing user (unless debugging is enabled). However, the code that handles the creation of a code challenge (for code-based login or password reset) didn't catch errors that occurred while the challenge request was processed. If the challenge itself runs into an error (e.g. if the email could …

Kirby comes with a built-in brute force protection. By default, it will prevent further login attempts after 10 failed logins from a single IP address or of a single existing user. After every failed login attempt, Kirby inserts a random delay between one millisecond and two seconds to make automated attacks harder and to avoid leaking whether the user exists. Unfortunately, this random delay was not inserted after the brute …

This advisory duplicates another.

The tags and multiselect fields allow to select tags from an autocompleted list. The tags field also allows to enter new tags or edit existing tags. Kirby already handled escaping of the autocompleted tags, but unfortunately the Panel used HTML rendering for new or edited tags as well as for custom tags from the content file. This allowed attackers with Panel access to store malicious HTML code in a tag. …

kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. If bad …

An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.

An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.

A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.

Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the …

Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protect against cross-site scripting (XSS) attacks. The default snippet for the image block unfortunately did not use our escaping helper. This made it …

Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the …

Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like <script> tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests …

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years …

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors …