3.7.5.5
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
Important note: This release marks the end of security support for Kirby 3.7. This version of Kirby has now reached its end of life and will no longer receive any updates whatsoever, including security updates. Please update to a more recent Kirby release to stay secure.
➡️ Read more