CVE-2024-41964
published 2024-08-29CVE-2024-41964: Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted…
PriorityP348high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.40%
32.3th percentile
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 3.6.6.6 | 3.6.6.6 |
| getkirby | cms | >= 3.10.0 < 3.10.1.1 | 3.10.1.1 |
| getkirby | cms | >= 3.7.0 < 3.7.5.5 | 3.7.5.5 |
| getkirby | cms | >= 3.8.0 < 3.8.4.4 | 3.8.4.4 |
| getkirby | cms | >= 3.9.0 < 3.9.8.2 | 3.9.8.2 |
| getkirby | cms | >= 4.0.0 < 4.3.1 | 4.3.1 |
| getkirby | kirby | < 3.6.6.6 | 3.6.6.6 |
| getkirby | kirby | — | — |
| getkirby | kirby | — | — |
| getkirby | kirby | — | — |
| getkirby | kirby | — | — |
| getkirby | kirby | — | — |
| getkirby | kirby | >= 3.10.0 < 3.10.1.1 | 3.10.1.1 |
| getkirby | kirby | >= 3.7.0 < 3.7.5.5 | 3.7.5.5 |
| getkirby | kirby | >= 3.8.0 < 3.8.4.4 | 3.8.4.4 |
| getkirby | kirby | >= 3.9.0 < 3.9.8.2 | 3.9.8.2 |
| getkirby | kirby | >= 4.0.0 < 4.3.1 | 4.3.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kirby has insufficient permission checks in the language settings
osv·2024-08-29
CVE-2024-41964 [HIGH] Kirby has insufficient permission checks in the language settings
Kirby has insufficient permission checks in the language settings
### TL;DR
This vulnerability affects all Kirby sites with enabled `languages` option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the `languages` and/or `api` option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is *not* affected.
----
### Introduction
Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions.
Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code.
A permission for updating existing languages has not existed
GHSA
Kirby has insufficient permission checks in the language settings
ghsa·2024-08-29
CVE-2024-41964 [HIGH] CWE-863 Kirby has insufficient permission checks in the language settings
Kirby has insufficient permission checks in the language settings
### TL;DR
This vulnerability affects all Kirby sites with enabled `languages` option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the `languages` and/or `api` option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is *not* affected.
----
### Introduction
Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions.
Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code.
A permission for updating existing languages has not existed
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-29
Published