CVE-2020-26253

Name of the Vulnerable Software and Affected Versions Kirby CMS versions prior to 3.3.6 Kirby Panel versions prior to 2.5.14

Description The issue concerns a vulnerability in Kirby CMS and Kirby Panel where the admin panel may be accessed if hosted on a .dev domain. This is due to an outdated assumption that .dev domains are local, which is no longer true as these domains have become publicly available. The vulnerability can be exploited if a site is hosted on a .dev domain or is behind a reverse proxy, and the first Panel account has not yet been registered on the public server. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited.

Technical details about exploitation include:

Recommendations To resolve the issue for Kirby CMS versions prior to 3.3.6, upgrade to version 3.3.6 or later. To resolve the issue for Kirby Panel versions prior to 2.5.14, upgrade to version 2.5.14 or later. For Kirby 2 sites that cannot be upgraded to Kirby 3, update to Kirby 2.5.14. As a temporary workaround for Kirby 2 sites on older releases, apply the changes from the specified commit.