GHSA-6gqr-mx34-wh8r

TL;DR

This vulnerability affects all Kirby sites where users of a particular role have no permission to create pages, files or users (pages.create, files.create or users.create permission is disabled). This can be due to configuration in the user blueprint(s), via options in the model blueprint(s) or via a combination of both settings.

This vulnerability is of high severity for affected sites.

Developers' Kirby sites are not affected if they intend all users of their site to be able to create pages, files and users. The vulnerability can only be exploited by authenticated users.

Introduction

An authorization bypass allows authenticated users to perform actions they should not be allowed to perform based on their configured permissions, thereby causing a privilege escalation.

The effects of an authorization bypass can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.

Impact

Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions.

Kirby provides the pages.create, files.create and users.create permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via options. In affected releases, Kirby allowed to override the options during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected options could include 'create' => true, which then caused an override of the permissions and options configured by the site...