0X-Bala

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 **Description** Missing authorization in the system API endpoint allows authenticated users to access sensitive information. Specifically, the '/api/system' endpoint leaks the installed Kirby version and the status, type, and code of the installed license to users who lack the `access.system` permission. This information can be utilized by malicious actors during reconnaissance to plan further attacks. **Recommendations** Update to version 4.9.0 or later. Update to version 5.4.0 or later.