Bastian Allgeier

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 **Description** Missing authorization allows authenticated users to perform actions they are not intended to have access to, potentially leading to unauthorized access to sensitive information. The issue occurs when `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. Specifically, models for which access or list permissions were disabled were not consistently hidden in the following scenarios: - The Panel changes dialog listed changed models regardless of listable status. - The REST API failed to consistently filter collections and related models, including missing checks for children, drafts, files, parents, and siblings of pages; parents and siblings of files; children, drafts, and files of the site model; and files of users. - Incorrect permission checks were used for site and pages children and search routes, using `pages.access` instead of `pages.list`, and `files.access` instead of `files.list` for account, site, pages, and users files and search routes. - Panel images for site, pages, and users were displayed in parent model lists even if the image files were not listable. - Link targets for previous and next files in the files view were not restricted by listable permissions. **Recommendations** Update to version 4.9.0 or later. Update to version 5.4.0 or later.