CVE-2024-41964
📋 TL;DR
This vulnerability in Kirby CMS allows attackers with Panel access to manipulate language definitions despite permission restrictions. Users with restricted roles could update existing language definitions even when language permissions were disabled. This affects all Kirby installations using vulnerable versions where role-based permissions are configured.
💻 Affected Systems
- Kirby CMS
📦 What is this software?
Kirby by Getkirby
Kirby by Getkirby
Kirby by Getkirby
Kirby by Getkirby
Kirby by Getkirby
Kirby by Getkirby
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify language definitions to inject malicious content, redirect users, or alter site functionality across all language versions of the site.
Likely Case
Unauthorized modification of language content leading to defacement, content manipulation, or minor functional changes.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users only making legitimate language updates.
🎯 Exploit Status
Requires authenticated Panel access with any user role. Exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kirby 3.6.6.6, 3.7.5.5, 3.8.4.4, 3.9.8.2, 3.10.1.1, or 4.3.1
Vendor Advisory: https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh
Restart Required: No
Instructions:
1. Backup your Kirby installation. 2. Update Kirby via Composer (composer update getkirby/cms) or manually replace core files. 3. Verify the update completed successfully. 4. Test language permission functionality.
🧯 If You Can't Patch
- Restrict Panel access to only trusted administrators
- Implement additional authentication factors for Panel users
🔍 How to Verify
Check if Vulnerable:
Check Kirby version in composer.json or site/config/config.php. Compare against affected version ranges.Check Version:
Check composer.json for "getkirby/cms" version or view Kirby version in Panel footer.Verify Fix Applied:
Verify Kirby version is 3.6.6.6, 3.7.5.5, 3.8.4.4, 3.9.8.2, 3.10.1.1, 4.3.1 or later. Test language update permissions with restricted user roles.📡 Detection & Monitoring
Log Indicators:
- Unauthorized language update attempts in Kirby logs
- Language definition modifications by non-admin users
Network Indicators:
- POST requests to language update endpoints from unauthorized roles
SIEM Query:
source="kirby_logs" AND (event="language_update" OR event="language_modified") AND user_role!="admin"