Kirby CMS, Authorization Bypass, CVE-2024-23648 (Medium)

Listen to this Post

The vulnerability arises because Kirby CMS checks `pages.create` and `pages.changeStatus` permissions independently. When an authenticated user has `pages.create` enabled but `pages.changeStatus` disabled, they should only be able to create draft pages. However, the REST API accepts an `isDraft` flag during page creation. By setting isDraft=false, an attacker can publish the page immediately, bypassing the normal workflow that requires a separate status change. The Panel’s UI forces draft creation, but the API does not validate the permission combination. This allows privilege escalation: a user with limited editorial rights (e.g., can create pages but not publish) can directly publish content. The flaw exists in Kirby versions before 4.9.0 and 5.4.0. Exploitation requires authenticated access, but any user with `pages.create` permission can trigger it. The root cause is missing enforcement of `pages.changeStatus` during the API’s page creation method. Patched versions add a check that rejects published page creation if the user lacks pages.changeStatus. The vulnerability was reported responsibly by @offset.
Platform: Kirby CMS
Version: <4.9.0,<5.4.0
Vulnerability: Auth bypass
Severity: Medium
date: 2024-02-21

Prediction: 2024-03-15

What Undercode Say:

Check if Kirby site is vulnerable
curl -X POST https://target.com/api/pages \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"":"Malicious","parent":"/","isDraft":false}'
Response 201 indicates published page created without pages.changeStatus
// Vulnerable API endpoint logic (simplified)
if ($user->hasPermission('pages.create')) {
$page = Page::create($parent, $slug, $data);
if (!$data['isDraft']) $page->publish(); // No check on pages.changeStatus
}

Exploit:

Authenticated attacker with pages.create, without pages.changeStatus, sends a POST request to `/api/pages` with "isDraft": false. The page is published instantly, bypassing draft review.

Protection from this CVE:

Update to Kirby 4.9.0 or 5.4.0+. Alternatively, disable `pages.create` for all roles or override API endpoint to enforce `pages.changeStatus` via custom plugin. Validate `isDraft` flag against user permissions in custom code.

Impact:

Unauthorized publication of content. Attackers can inject malicious or misleading pages directly into the live site, bypassing editorial oversight. Leads to defacement, phishing, or bypass of approval workflows.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top