CVE-2020-26255

Name of the Vulnerable Software and Affected Versions Kirby CMS versions prior to 3.4.5 Kirby Panel versions prior to 2.5.14

Description An editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This issue is critical if there are potential attackers among authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access cannot use this attack vector.

Recommendations For Kirby CMS versions prior to 3.4.5, update to version 3.4.5 or a later version to fix the issue. For Kirby Panel versions prior to 2.5.14, update to version 2.5.14 or a later version to fix the issue. As a temporary workaround for Kirby 2 sites that cannot be upgraded to Kirby 3, consider applying the changes from the relevant commit to patch the vulnerability. If you cannot upgrade or patch, consider restricting access to the Kirby Panel to minimize the risk of exploitation.