Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Kirby
(Getkirby)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 23 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-07-27 | CVE-2023-38492 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities. Kirby's authentication endpoint did not limit the password length. This allowed attackers to... | Kirby | 7.5 | ||
| 2023-07-27 | CVE-2023-38491 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder. Kirby sites are not affected if they don't allow file uploads for untrusted users or visitors or if the file extensions of uploaded files are limited to a fixed safe list. The attack... | Kirby | 5.4 | ||
| 2024-08-29 | CVE-2024-41964 | Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited... | Kirby | 8.1 | ||
| 2022-08-24 | CVE-2018-14519 | An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page. | Kirby | 4.3 | ||
| 2022-08-24 | CVE-2018-14520 | An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages. | Kirby | 5.4 | ||
| 2019-05-13 | CVE-2018-16624 | panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. | Kirby | 5.4 | ||
| 2019-05-13 | CVE-2018-16623 | Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. | Kirby | 4.8 | ||
| 2018-12-28 | CVE-2018-16630 | Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file. | Kirby | 4.8 | ||
| 2018-12-04 | CVE-2018-16628 | panel/login in Kirby v2.5.12 allows XSS via a blog name. | Kirby | 5.4 | ||
| 2018-12-20 | CVE-2018-16627 | panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. | Kirby | 6.1 |