5Hank4R

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 3.5.8.3 Kirby versions prior to 3.6.6.3 Kirby versions prior to 3.7.5.2 Kirby versions prior to 3.8.4.1 Kirby versions prior to 3.9.6 **Description** The issue affects all Kirby sites with user accounts, unless Kirby's API and Panel are disabled in the config. It can be exploited if a Kirby user is logged in on a shared device or browser with potentially untrusted users, or if an attacker has previously used a password to log in to a Kirby site as the affected user. The problem is related to insufficient session expiration, allowing attackers to stay logged in to a Kirby site even after the user has changed their password. This is because Kirby did not invalidate user sessions created with a password that was later changed by the user or site admin. **Recommendations** To resolve the issue for versions prior to 3.5.8.3, update to Kirby 3.5.8.3 or a later version. To resolve the issue for versions prior to 3.6.6.3, update to Kirby 3.6.6.3 or a later version. To resolve the issue for versions prior to 3.7.5.2, update to Kirby 3.7.5.2 or a later version. To resolve the issue for versions prior to 3.8.4.1, update to Kirby 3.8.4.1 or a later version. To resolve the issue for versions prior to 3.9.6, update to Kirby 3.9.6 or a later version.

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 3.5.8.3 Kirby versions prior to 3.6.6.3 Kirby versions prior to 3.7.5.2 Kirby versions prior to 3.8.4.1 Kirby versions prior to 3.9.6 **Description** The issue affects Kirby sites that allow file uploads from untrusted users or visitors, or those that do not limit file extensions to a safe list. An editor with write access to the Kirby Panel can upload a file with an unknown extension, such as `.xyz`, containing HTML code with harmful content like `<script>` tags. If a victim opens the link to this file in a browser where they are logged in to Kirby, the browser may run the script, potentially triggering requests to Kirby's API with the victim's permissions. The problem is caused by the `KirbyHttpResponse::file()` method lacking an explicit fallback for unknown MIME types. **Recommendations** Update to Kirby version 3.5.8.3 or later to fix the vulnerability. Update to Kirby version 3.6.6.3 or later to fix the vulnerability. Update to Kirby version 3.7.5.2 or later to fix the vulnerability. Update to Kirby version 3.8.4.1 or later to fix the vulnerability. Update to Kirby version 3.9.6 or later to fix the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 3.5.8.3 Kirby versions prior to 3.6.6.3 Kirby versions prior to 3.7.5.2 Kirby versions prior to 3.8.4.1 Kirby versions prior to 3.9.6 **Description** The issue affects Kirby sites with user accounts, unless Kirby's API and Panel are disabled in the config. The real-world impact of this issue is limited. However, updating to one of the patch releases is recommended because they also fix more severe issues. Kirby's authentication endpoint did not limit the password length, allowing attackers to provide a password with a length up to the server's maximum request body length. Validating that password against the user's actual password requires hashing the provided password, which requires more CPU and memory resources the longer the provided password gets. This could be abused by an attacker to cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force protection, the impact of this issue is limited to 10 failed logins from each IP address and 10 failed logins for each existing user per hour. **Recommendations** Update to Kirby version 3.5.8.3 or later to fix the vulnerability. Update to Kirby version 3.6.6.3 or later to fix the vulnerability. Update to Kirby version 3.7.5.2 or later to fix the vulnerability. Update to Kirby version 3.8.4.1 or later to fix the vulnerability. Update to Kirby version 3.9.6 or later to fix the vulnerability.