CVE-2024-26483
published 2024-02-22CVE-2024-26483: An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.
PriorityP347high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.97%
57.3th percentile
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 3.6.6.5 | 3.6.6.5 |
| getkirby | cms | >= 3.10.0 < 3.10.0.1 | 3.10.0.1 |
| getkirby | cms | >= 3.7.0 < 3.7.5.4 | 3.7.5.4 |
| getkirby | cms | >= 3.8.0 < 3.8.4.3 | 3.8.4.3 |
| getkirby | cms | >= 3.9.0 < 3.9.8.1 | 3.9.8.1 |
| getkirby | cms | >= 4.0.0 < 4.1.1 | 4.1.1 |
| getkirby | kirby | < 3.6.6.5 | 3.6.6.5 |
| getkirby | kirby | — | — |
| getkirby | kirby | >= 3.7.0 < 3.7.5.4 | 3.7.5.4 |
| getkirby | kirby | >= 3.8.0 < 3.8.4.3 | 3.8.4.3 |
| getkirby | kirby | >= 3.9.0 < 3.9.8.1 | 3.9.8.1 |
| getkirby | kirby | 4.0.0 – 4.1.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kirby vulnerable to unrestricted file upload of user avatar images
osv·2024-02-26
CVE-2024-26483 [MEDIUM] Kirby vulnerable to unrestricted file upload of user avatar images
Kirby vulnerable to unrestricted file upload of user avatar images
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The attack requires user interaction by another user or visitor and *cannot* be automated.
----
### Introduction
Unrestricted upload of files with a dangerous type is a type of vulnerability that allows to circumvent expectations and protections in the server setup or backend code. Uploaded files are not checked for their compliance with the intended purpose of the upload target, which can introduce secondary attack vectors.
While the vulnerability described here does *not* allow critical attacks like remote code execution (RCE), it can still be abused to upload unexpected file types tha
GHSA
Kirby vulnerable to unrestricted file upload of user avatar images
ghsa·2024-02-26
CVE-2024-26483 [MEDIUM] CWE-79 Kirby vulnerable to unrestricted file upload of user avatar images
Kirby vulnerable to unrestricted file upload of user avatar images
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The attack requires user interaction by another user or visitor and *cannot* be automated.
----
### Introduction
Unrestricted upload of files with a dangerous type is a type of vulnerability that allows to circumvent expectations and protections in the server setup or backend code. Uploaded files are not checked for their compliance with the intended purpose of the upload target, which can introduce secondary attack vectors.
While the vulnerability described here does *not* allow critical attacks like remote code execution (RCE), it can still be abused to upload unexpected file types tha
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Unrestricted-File-Upload-dc60ce3132f04442b73f2dba2631fae0?pvs=4https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Unrestricted-File-Upload-dc60ce3132f04442b73f2dba2631fae0?pvs=4
2024-02-22
Published