CVE-2024-41964— Insufficient permission checks in the language settings in Kirby CMS
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-41964
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insufficient permission checks in the language settings in Kirby CMS
Source: NVD (National Vulnerability Database)
Vulnerability Description
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Kirby 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Kirby是Kirby开源的一套基于文件的内容管理系统(CMS)。 Kirby存在安全漏洞,该漏洞源于语言设置中的权限检查不足,允许具有Panel访问权限的攻击者操纵语言定义。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-41964
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-41964
请登录查看更多情报信息。
- Fix language permissions #6497 · getkirby/kirby@ab95d17 · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2024-41964
IV. Related Vulnerabilities
Same product: kirby
- CVE-2026-42174
Kirby: User avatar creation, replacement and deletion are no - CVE-2026-42137
Kirby: `pages.access/list` and `files.access/list` permissio - CVE-2026-42051
Kirby: System API endpoint leaks license data and installed - CVE-2026-42069
Kirby: Read access to site, user and role information is not - CVE-2026-41325
Kirby is vulnerable to authorization bypass during page, fil
Same vendor: getkirby
- CVE-2026-42174
Kirby: User avatar creation, replacement and deletion are no - CVE-2026-42137
Kirby: `pages.access/list` and `files.access/list` permissio - CVE-2026-42051
Kirby: System API endpoint leaks license data and installed - CVE-2026-42069
Kirby: Read access to site, user and role information is not - CVE-2026-41325
Kirby is vulnerable to authorization bypass during page, fil
Same weakness: CWE-863
- CVE-2026-42571
Privilege Escalation Attack affecting Pelican Web UI - CVE-2025-15633
HCL BigFix WebUI is affected by an improper authorization vu - CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2025-66170
Apache CloudStack: Any user can list backups that they shoul - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
V. Comments for CVE-2024-41964
No comments yet