CVE-2024-26483: 
PHP vulnerability analysis and mitigation

An arbitrary file upload vulnerability was discovered in the Profile Image module of Kirby CMS version 4.1.0. The vulnerability allows authenticated users with Panel access to upload files with dangerous types as user avatars, bypassing the intended image-only restriction. This security issue was assigned CVE-2024-26483 and was disclosed on February 26, 2024 (GitHub Advisory).

The vulnerability stems from insufficient file type validation in the user avatar upload functionality. While the system has protections against certain dangerous file types like HTML or PHP files, it failed to properly restrict uploads to image files only. The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating that it requires network access, low attack complexity, low privileges, and user interaction (GitHub Advisory).

While the vulnerability does not allow for direct remote code execution (RCE), it can be exploited to upload unexpected file types such as PDFs that would then be accessible via direct links. These links could be shared with other users, potentially enabling cross-site scripting (XSS) attacks. The attack requires user interaction by another user or visitor and cannot be automated (GitHub Advisory).

The vulnerability has been patched in multiple versions: 3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, and 4.1.1. The fix implements proper validation to prevent any files that don't have an image file extension or MIME type from being uploaded as a user avatar. Users are advised to update to one of these patched versions or a later release (GitHub Advisory).