Description
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.
Problem types
CWE-862: Missing Authorization
Product status
>= 5.0.0, < 5.4.4
References
github.com/.../kirby/security/advisories/GHSA-23q2-54qv-rq5x
github.com/...ommit/1ae575da24e1b1cb8803a031d37eff14606d7c55
github.com/...ommit/3bad37117adf2013548a784f820ddb2d8317333c
github.com/...ommit/3f4398cdcf9f50f84fdac52ad78a7a85fb31589f
github.com/...ommit/bffffce6c081f69c46163cc89b1fd18ccf2a18d1
github.com/getkirby/kirby/releases/tag/4.9.4
github.com/getkirby/kirby/releases/tag/5.4.4