CVE-2024-41964: 
PHP vulnerability analysis and mitigation

Kirby CMS, a content management system targeting designers and editors, was found to have insufficient permission checks in its language settings functionality. The vulnerability (CVE-2024-41964) was discovered and disclosed on August 29, 2024. It affects multiple versions of Kirby including versions up to 3.6.6.5, 3.7.0-3.7.5.4, 3.8.0-3.8.4.3, 3.9.0-3.9.8.1, 3.10.0-3.10.1, and 4.0.0-4.3.0 (GitHub Advisory).

The vulnerability stems from missing permission enforcement in Kirby's frontend and backend code. While permissions for creating and deleting languages existed and could be configured, they were not properly enforced. Additionally, a permission for updating existing languages was entirely absent before the patched versions. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating network vector attack with low complexity requiring low privileges and no user interaction (NVD).

The vulnerability allows attackers with Panel access to manipulate language definitions, which are core to multi-language content in Kirby. The potential impacts include: unauthorized creation of first language switching Kirby to multi-language mode, deletion of existing languages resulting in content loss, modification of language metadata including URLs, and changes to default language settings affecting content fallback behavior. These manipulations could lead to site availability issues or compromise content integrity (GitHub Advisory).

The vulnerability has been patched in versions 3.6.6.6, 3.7.5.5, 3.8.4.4, 3.9.8.2, 3.10.1.1, and 4.3.1. The patches include proper enforcement of languages.create and languages.delete permissions, and the introduction of a new languages.update permission. Users are advised to update to one of these or later versions to fix the vulnerability (GitHub Advisory).