Insufficient Permission Checks in Kirby CMS Allow Language Manipulation
CVE-2024-41964
What is CVE-2024-41964?
A critical vulnerability has been identified in Kirby CMS, affecting its handling of user permissions related to language management. Previously, while Kirby allowed the restriction of user role permissions, the enforcement of these permissions was not supported adequately by both the frontend and backend systems. This lack of enforcement meant that even if the 'languages.*' wildcard permission was disabled for a particular role, users with Panel access could still modify existing language definitions without the necessary permission checks. Furthermore, prior to the patched versions, there was no provision to restrict updates to existing languages, leaving the system open to manipulation. To mitigate this risk, users are strongly encouraged to upgrade to Kirby versions 3.6.6.6, 3.7.5.5, 3.8.4.4, 3.9.8.2, 3.10.1.1, or 4.3.1 promptly, as there are currently no known workarounds for this issue.
Affected Version(s)
kirby < 3.6.6.6 < 3.6.6.6
kirby >= 3.7.0, < 3.7.5.5 < 3.7.0, 3.7.5.5
kirby >= 3.8.0, < 3.8.4.4 < 3.8.0, 3.8.4.4