Insufficient Permission Checks in Kirby CMS Allow Language Manipulation
CVE-2024-41964
What is CVE-2024-41964?
A critical vulnerability has been identified in Kirby CMS, affecting its handling of user permissions related to language management. Previously, while Kirby allowed the restriction of user role permissions, the enforcement of these permissions was not supported adequately by both the frontend and backend systems. This lack of enforcement meant that even if the 'languages.*' wildcard permission was disabled for a particular role, users with Panel access could still modify existing language definitions without the necessary permission checks. Furthermore, prior to the patched versions, there was no provision to restrict updates to existing languages, leaving the system open to manipulation. To mitigate this risk, users are strongly encouraged to upgrade to Kirby versions 3.6.6.6, 3.7.5.5, 3.8.4.4, 3.9.8.2, 3.10.1.1, or 4.3.1 promptly, as there are currently no known workarounds for this issue.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
kirby < 3.6.6.6 < 3.6.6.6
kirby >= 3.7.0, < 3.7.5.5 < 3.7.0, 3.7.5.5
kirby >= 3.8.0, < 3.8.4.4 < 3.8.0, 3.8.4.4
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved