CVE-2020-26255 – PHP Phar archives could be uploaded and executed in Kirby
https://notcve.org/view.php?id=CVE-2020-26255
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. • https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881 https://github.com/getkirby/kirby/commit/db8f371b13036861c9cc5ba3e85e27f73fce5e09 https://github.com/getkirby/kirby/releases/tag/3.4.5 https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw https://packagist.org/packages/getkirby/cms https://packagist.org/packages/getkirby/panel • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-26253 – .dev domains treated as local in Kirby
https://notcve.org/view.php?id=CVE-2020-26253
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public server. • https://github.com/getkirby-v2/panel/commit/7f9ac1876bacb89fd8f142f5e561a02ebb725baa https://github.com/getkirby/kirby/releases/tag/3.3.6 https://github.com/getkirby/kirby/security/advisories/GHSA-2ccx-2gf3-8xvv https://packagist.org/packages/getkirby/cms https://packagist.org/packages/getkirby/panel • CWE-346: Origin Validation Error •
CVE-2015-7773
https://notcve.org/view.php?id=CVE-2015-7773
Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file that lacks an extension, and then renaming this file to have a .php extension. Vulnerabilidad de carga de archivos sin restricciones en el componente Panel en Bastian Allgeier Kirby en versiones anteriores a 2.1.2 permite a usuarios remotos autenticados ejecutar código PHP arbitrario mediante la subida de un archivo que carece de una extensión, y luego renombrar este archivo para tener una extensión .php. • http://getkirby.com/changelog/kirby-2-1-2 http://jvn.jp/en/jp/JVN34780384/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000182 •