Published: 08/12/2020 Updated: 10/12/2020

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 9.1 | Impact Score: 6 | Exploitability Score: 2.3

VMScore: 578

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. Please update to one of these or a later version to fix the vulnerability. Note: Kirby 2 reaches end of life on December 31, 2020. We therefore recommend to upgrade your Kirby 2 sites to Kirby 3. If you cannot upgrade, we still recommend to update to Kirby 2.5.14.

Vulnerable Product	Search on Vulmon	Subscribe to Product
getkirby kirby
getkirby panel

CWE-434 https://packagist.org/packages/getkirby/cms https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881 https://packagist.org/packages/getkirby/panel https://github.com/getkirby/kirby/commit/db8f371b13036861c9cc5ba3e85e27f73fce5e09 https://github.com/getkirby/kirby/releases/tag/3.4.5 https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-26255

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect