CVE-2023-38489

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 3.5.8.3 Kirby versions prior to 3.6.6.3 Kirby versions prior to 3.7.5.2 Kirby versions prior to 3.8.4.1 Kirby versions prior to 3.9.6

Description The issue affects all Kirby sites with user accounts, unless Kirby's API and Panel are disabled in the config. It can be exploited if a Kirby user is logged in on a shared device or browser with potentially untrusted users, or if an attacker has previously used a password to log in to a Kirby site as the affected user. The problem is related to insufficient session expiration, allowing attackers to stay logged in to a Kirby site even after the user has changed their password. This is because Kirby did not invalidate user sessions created with a password that was later changed by the user or site admin.

Recommendations To resolve the issue for versions prior to 3.5.8.3, update to Kirby 3.5.8.3 or a later version. To resolve the issue for versions prior to 3.6.6.3, update to Kirby 3.6.6.3 or a later version. To resolve the issue for versions prior to 3.7.5.2, update to Kirby 3.7.5.2 or a later version. To resolve the issue for versions prior to 3.8.4.1, update to Kirby 3.8.4.1 or a later version. To resolve the issue for versions prior to 3.9.6, update to Kirby 3.9.6 or a later version.