php · getkirby/cmsCritical
Kirby CMS Missing Authorization Check in /api/site/find Route
Missing authorization check in `/api/site/find` route allowed authenticated users to retrieve page information (including full content and metadata) for pages t
What changed
Missing authorization check in `/api/site/find` route allowed authenticated users to retrieve page information (including full content and metadata) for pages they do not have permission to access.
Who it affects
Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled).
What to do today
Update to Kirby 4.9.4 or 5.4.4 (or later) to fix the vulnerability.
The trail
Collected→
Audited→
Written→
Published