Skip to content

4.3.1

Compare
Choose a tag to compare
@lukasbestle lukasbestle released this 29 Aug 08:57
· 267 commits to main since this release
576306d

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.


🐛 Bug fixes

  • Fixed console error from views without a menu on narrow window widths #6487
  • Prev-Next navigation isn’t always hidden anymore on user view

🧹 Housekeeping

  • Fix support for .env files in the Panel Vite build config #6516
  • Use SERVER as name for the Vite host override env variable #6516