Kirby Content Management System Missing Permission Checks Vulnerability in Changes API

A vulnerability exists in Kirby, an open-source content management system, in versions 5.0.0 prior to 5.2.1. The issue arises from missing permission checks in the content changes API, specifically affecting sites where user permissions have been customized to restrict certain roles from writing. This vulnerability allows users with Panel access to manipulate changes versions and content fields, potentially disrupting the work of other users and introducing unauthorized changes.

Impact

Exploitation of this vulnerability could lead to unauthorized creation or modification of changes versions for any model on the site, including pages, users, files, or site-wide settings. This could lock other users out of making content changes or allow for the introduction of spam, defamatory content, or malicious links and scripts, which could be published under the guise of an authorized user.

Reproduction

To reproduce this vulnerability, configure user permissions to disable the update permission for specific roles, preventing them from making content changes. Then, log in as a user with Panel access who has been assigned one of these roles. Attempt to create a new changes version or modify an existing one. The absence of permission checks will allow these actions to be performed, despite the permission restrictions in place.

Remediation

Update Kirby to version 5.2.2 or later, where this vulnerability has been patched. In this release, permission checks have been added to ensure that users without update permissions cannot create, edit, or discard changes versions for the respective model.