Kirby System API License Data and Version Leak Vulnerability

A vulnerability exists in Kirby, an open-source content management system, prior to versions 4.9.0 and 5.4.0. The issue arises from the system API endpoint, which inadvertently exposes license information and the installed version to authenticated users. This leak can be exploited by users with access to the Panel, potentially leading to unauthorized knowledge of the site's Kirby version and license details, which could be used for further attacks.

Impact

The vulnerability allows authenticated users to access sensitive information that should be protected by the 'access.system' permission. This includes the installed Kirby version and license data, which are considered confidential and could be used by malicious actors for reconnaissance before launching an attack.

Remediation

Users are advised to upgrade to Kirby versions 4.9.0 or 5.4.0, both of which address this vulnerability by ensuring that the system API endpoint only provides information to users who have the appropriate permissions.