Listen to this Post
How the mentioned CVE works (missing authorization in Kirby CMS):
1. Kirby CMS uses user roles and permissions defined in site/blueprints/users/.
2. The `access.system` permission controls access to the Panel’s system area (Kirby version, plugins, server version, license).
3. When `access.system` is disabled for a role, users of that role should not see sensitive system info.
4. However, the REST API endpoint `/api/system` did not enforce this permission check.
5. Any authenticated Panel user could send a GET request to /api/system.
6. The endpoint returned the installed Kirby version (e.g., 4.8.0).
7. It also returned license status (e.g., “active”), license type (e.g., “standard”), and license code.
8. This data is considered sensitive and useful for reconnaissance.
9. Attackers with low-privileged Panel access could gather version and license info.
10. Version numbers help attackers find known vulnerabilities for that specific Kirby release.
11. License details might reveal business or deployment context.
12. The vulnerability exists because the endpoint lacked an authorization check.
13. It affects all Kirby installations with authenticated Panel users, regardless of role.
14. The issue is not about authentication (users are logged in) but authorization.
15. No special privileges required – just any valid Panel user account.
16. The missing check allowed bypass of the `access.system` permission restriction.
17. Attackers could exploit this to plan further attacks (e.g., targeting specific Kirby versions).
18. The vulnerability was reported by @HuajiHD and @0x-bala.
19. Patches were released in Kirby 4.9.0 and 5.4.0.
20. The fix adds a permission check for `access.system` before returning version/license data in /api/system.
dailycve form (3 words max per line):
Platform: Kirby CMS
Version: <4.9.0,<5.4.0
Vulnerability: Missing authorization
Severity: Medium
date: 2024-03-25 (approximate disclosure)
Prediction: Already patched
What Undercode Say:
Analytics – Bash commands and codes to detect vulnerable Kirby instances:
Check Kirby version from Panel source curl -s https://target.com/panel/media/plugins/kirby/index.js | grep -oP 'Kirby version \K[0-9.]+' Query /api/system endpoint (authenticated, requires valid session token) curl -X GET https://target.com/api/system \ -H "Authorization: Bearer <PANEL_SESSION_TOKEN>" \ -H "Content-Type: application/json" Extract version and license from response curl -s https://target.com/api/system -H "Cookie: kirby_session=<SESSION_ID>" | jq '.data.version, .data.license' Check if endpoint returns sensitive fields without access.system permission curl -s https://target.com/api/system | grep -E 'version|license'
Exploit:
An authenticated low-privilege user (e.g., “editor” role with `access.system` disabled) sends a GET request to /api/system. The response contains version, license.status, license.type, and license.code. No additional payload or privilege escalation needed.
Protection from this CVE:
Update to Kirby 4.9.0 or 5.4.0 or later. If unable to update, apply a custom middleware to the `/api/system` endpoint that checks for `access.system` permission before returning version/license fields. Alternatively, disable the REST API entirely via config ('api' => false) if not required.
Impact:
Sensitive information leak (Kirby version, license details) enables targeted attacks. Attackers identify outdated plugins, known CVEs for that Kirby version, or exploit license validation bypass. Low-privilege users can escalate reconnaissance efforts, increasing risk of full site compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
