php · getkirby/cmsHeads-up
Kirby CMS Missing Authorization Check in Pages Field Picker
Missing authorization check in the backend logic for the page picker used in the `pages` field.
What changed
Missing authorization check in the backend logic for the page picker used in the `pages` field. The picker did not validate that the user-provided parent page or site was accessible to the current user, allowing authenticated attackers to confirm existence of arbitrary pages and retrieve their title field values.
Who it affects
Kirby sites using the `pages` field where users of a particular role have no permission to access pages (`pages.access` permission disabled). Only authenticated users can exploit.
What to do today
Update Kirby to version 4.9.4 or 5.4.4 or later to fix the vulnerability.
The trail
Collected→
Audited→
Written→
Published