CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2024-41964 – Insufficient permission checks in the language settings in Kirby CMS
https://notcve.org/view.php?id=CVE-2024-41964
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. • https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23 https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh • CWE-863: Incorrect Authorization •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27087 – Kirby cross-site scripting (XSS) in the link field "Custom" type
https://notcve.org/view.php?id=CVE-2024-27087
Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As the "Custom" link type is meant to be flexible, it also allows the javascript: URL scheme. In some use cases this can be intended, but it can also be misused by attackers to execute arbitrary JavaScript code when a user or visitor clicks on a link that is generated from the contents of the link field. • https://github.com/getkirby/kirby/commit/cda3dd9a15228d35e62ff86cfa87a67e7c687437 https://github.com/getkirby/kirby/security/advisories/GHSA-63h4-w25c-3qv4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •