Vulnerability-Lookup

CVE-2024-41964 (GCVE-0-2024-41964)

Vulnerability from cvelistv5 – Published: 2024-08-29 16:19 – Updated: 2024-08-29 16:36

Title

Insufficient permission checks in the language settings in Kirby CMS

Summary

Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/getkirby/kirby/security/adviso…	x_refsource_CONFIRM
	https://github.com/getkirby/kirby/commit/ab95d172…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	getkirby	kirby	Affected: < 3.6.6.6 Affected: >= 3.7.0, < 3.7.5.5 Affected: >= 3.8.0, < 3.8.4.4 Affected: >= 3.9.0, < 3.9.8.2 Affected: >= 3.10.0, < 3.10.1.1 Affected: >= 4.0.0, < 4.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41964",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-29T16:35:56.160679Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-29T16:36:08.820Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kirby",
          "vendor": "getkirby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.6.6.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.7.0, \u003c 3.7.5.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.8.0, \u003c 3.8.4.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.9.0, \u003c 3.9.8.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.10.0, \u003c 3.10.1.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby\u0027s frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-29T16:19:21.676Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh"
        },
        {
          "name": "https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23"
        }
      ],
      "source": {
        "advisory": "GHSA-jm9m-rqr3-wfmh",
        "discovery": "UNKNOWN"
      },
      "title": "Insufficient permission checks in the language settings in Kirby CMS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-41964",
    "datePublished": "2024-08-29T16:19:21.676Z",
    "dateReserved": "2024-07-24T16:51:40.952Z",
    "dateUpdated": "2024-08-29T16:36:08.820Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41964\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-29T16:35:56.160679Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-29T16:36:00.703Z\"}}], \"cna\": {\"title\": \"Insufficient permission checks in the language settings in Kirby CMS\", \"source\": {\"advisory\": \"GHSA-jm9m-rqr3-wfmh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"getkirby\", \"product\": \"kirby\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.6.6.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.7.0, \u003c 3.7.5.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.8.0, \u003c 3.8.4.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.9.0, \u003c 3.9.8.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.10.0, \u003c 3.10.1.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.3.1\"}]}], \"references\": [{\"url\": \"https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh\", \"name\": \"https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23\", \"name\": \"https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby\u0027s frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-29T16:19:21.676Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-41964\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-29T16:36:08.820Z\", \"dateReserved\": \"2024-07-24T16:51:40.952Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-29T16:19:21.676Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-JM9M-RQR3-WFMH

Vulnerability from github – Published: 2024-08-29 17:55 – Updated: 2024-08-29 19:07

Summary

Kirby has insufficient permission checks in the language settings

Details

TL;DR

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Introduction

Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions.

Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code.

A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions.

Impact

The missing permission checks allowed attackers with Panel access to manipulate the language definitions.

The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage, for example:

If the languages option was enabled but no language exists, creating the first language will switch Kirby to multi-language mode.
Deleting an existing language will lead to content loss of all translated content in that language. Deleting the last language will switch Kirby to single-language mode.
Updating a language allows to change the metadata including the language slug (used in page URLs) and language variables. It also allows to change the default language, which will cause Kirby to use the new default language's content as a fallback for non-existing translations.

Depending on the site code, the result of such actions can cause loss of site availability (e.g. error messages in the site frontend) or integrity (due to changed URLs or removed translations).

Patches

The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have added checks for the languages.create and languages.delete permissions that ensure that users without those permissions cannot perform the respective actions. We have also added a new languages.update permission.

Credits

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

8.8 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.6.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.5.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.8.4.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0"
            },
            {
              "fixed": "3.8.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.9.8.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.9.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.10.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.10.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-29T17:55:30Z",
    "nvd_published_at": "2024-08-29T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "### TL;DR\n\nThis vulnerability affects all Kirby sites with enabled `languages` option that might have potential attackers in the group of authenticated Panel users.\n\nIf you have disabled the `languages` and/or `api` option and don\u0027t call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is *not* affected.\n\n----\n\n### Introduction\n\nKirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions.\n\nPermissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby\u0027s frontend or backend code.\n\nA permission for updating existing languages has not existed before the patched versions. So disabling the `languages.*` wildcard permission for a role could not have prohibited updates to existing language definitions.\n\n### Impact\n\nThe missing permission checks allowed attackers with Panel access to manipulate the language definitions.\n\nThe language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage, for example:\n\n- If the `languages` option was enabled but no language exists, creating the first language will switch Kirby to multi-language mode.\n- Deleting an existing language will lead to content loss of all translated content in that language. Deleting the last language will switch Kirby to single-language mode.\n- Updating a language allows to change the metadata including the language slug (used in page URLs) and language variables. It also allows to change the default language, which will cause Kirby to use the new default language\u0027s content as a fallback for non-existing translations.\n\nDepending on the site code, the result of such actions can cause loss of site availability (e.g. error messages in the site frontend) or integrity (due to changed URLs or removed translations).\n\n### Patches\n\nThe problem has been patched in [Kirby 3.6.6.6](https://github.com/getkirby/kirby/releases/tag/3.6.6.6), [Kirby 3.7.5.5](https://github.com/getkirby/kirby/releases/tag/3.7.5.5), [Kirby 3.8.4.4](https://github.com/getkirby/kirby/releases/tag/3.8.4.4), [Kirby 3.9.8.2](https://github.com/getkirby/kirby/releases/tag/3.9.8.2), [Kirby 3.10.1.1](https://github.com/getkirby/kirby/releases/tag/3.10.1.1), and [Kirby 4.3.1](https://github.com/getkirby/kirby/releases/tag/4.3.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have added checks for the `languages.create` and `languages.delete` permissions that ensure that users without those permissions cannot perform the respective actions. We have also added a new `languages.update` permission.\n\n### Credits\n\nThanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.",
  "id": "GHSA-jm9m-rqr3-wfmh",
  "modified": "2024-08-29T19:07:02Z",
  "published": "2024-08-29T17:55:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/1dbc9215c97a5c22dc7f34a4e3a64d19e1eac151"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/38636655b054e820f66c3b717c55a9d60fe6400a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/83fce501759782cf843b6f1d9293a7c7167e69af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/af9b0a58dea63effab85525ae217faa1f5ded423"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/e647a177c75636ef4824662b2ce00d8e5c3a8406"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getkirby/kirby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/4.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kirby has insufficient permission checks in the language settings"
}

FKIE_CVE-2024-41964

Vulnerability from fkie_nvd - Published: 2024-08-29 17:15 - Updated: 2024-09-06 22:56

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23	Patch
	security-advisories@github.com	https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh	Vendor Advisory

Impacted products

Vendor	Product	Version
getkirby	kirby	*
getkirby	kirby	*
getkirby	kirby	*
getkirby	kirby	*
getkirby	kirby	*
getkirby	kirby	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB5113F1-0EAB-408F-9574-7A9545905C52",
              "versionEndExcluding": "3.6.6.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A9E85FE-0FC5-41C1-99EB-6CEE106864E3",
              "versionEndExcluding": "3.7.5.5",
              "versionStartIncluding": "3.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC6DA7E2-7EA2-4F0B-BECD-0481489E1A9E",
              "versionEndExcluding": "3.8.4.4",
              "versionStartIncluding": "3.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "815FC984-F946-463C-8CDC-2923BF51D85D",
              "versionEndExcluding": "3.9.8.2",
              "versionStartIncluding": "3.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A359C0A7-92E0-428B-A3D1-32B43929EC6F",
              "versionEndExcluding": "3.10.1.1",
              "versionStartIncluding": "3.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "45D93D8F-70F6-4E50-A7A7-511593473868",
              "versionEndExcluding": "4.3.1",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby\u0027s frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Kirby es un CMS dirigido a manipuladores y editores. Kirby permite restringir los permisos de roles de usuario espec\u00edficos. Los usuarios de ese rol solo pueden realizar acciones permitidas. Los permisos para crear y eliminar idiomas ya exist\u00edan y se pod\u00edan configurar, pero no se aplicaban mediante el c\u00f3digo de interfaz o backend de Kirby. No exist\u00eda un permiso para actualizar idiomas existentes antes de las versiones parcheadas. Por lo tanto, deshabilitar el permiso comod\u00edn de idiomas.* para un rol no podr\u00eda haber prohibido las actualizaciones de las definiciones de idiomas existentes. Las comprobaciones de permisos faltantes permit\u00edan a los atacantes con acceso al Panel manipular las definiciones de idiomas. El problema se ha corregido en Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1 y Kirby 4.3.1. Actualice a una de estas versiones o a una posterior para corregir la vulnerabilidad. No existen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2024-41964",
  "lastModified": "2024-09-06T22:56:18.010",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-29T17:15:07.980",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-41964 (GCVE-0-2024-41964)

GHSA-JM9M-RQR3-WFMH

TL;DR

Introduction

Impact

Patches

Credits

FKIE_CVE-2024-41964

Tags

Sightings

Nomenclature