This vulnerability affects all Kirby sites where users of a particular role have no permission to access or list pages or files (pages.access, pages.list, files.access or files.list permission is disabled). This can be due to configuration in the user blueprint(s), via options in the model blueprint(s) or via a combination of both settings.
This vulnerability is of high severity for affected sites.
Consumers' Kirby sites are not affected if they intend all users to be able to access all pages and files of the site. The vulnerability can only be exploited by authenticated users. Write actions are not affected by this vulnerability.
Missing authorization allows authenticated users to perform actions they are not intended to have access to.
The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.
Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions.
Kirby provides the pages.access, pages.list, files.access and files.list permissions (among others). The list permissions control whether affected models appear in lists throughout the Panel and REST API. The access permissions have the same effect but also disable direct access to the affected models.
In affected releases, Kirby did not consistently hide non-listable models (models for which the respective access or list permission was disabled) in the following scenarios:
4.9.05.4.0Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N7.1/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N