CVE-2024-26483

Name of the Vulnerable Software and Affected Versions Kirby CMS version 4.1.0

Description The issue is related to an arbitrary file upload vulnerability in the Profile Image module, allowing attackers to execute arbitrary code via a crafted PDF file. This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. The attack requires user interaction by another user or visitor and cannot be automated. The vulnerability can be abused to upload unexpected file types, such as PDFs, which could make it possible to perform cross-site scripting (XSS) attacks.

Recommendations For Kirby CMS version 4.1.0, update to version 4.1.1 or a later version to fix the vulnerability. This update includes validations that prevent any files that don't have an image file extension or MIME type from being uploaded as a user avatar. As a temporary workaround, consider restricting access to the Profile Image module to minimize the risk of exploitation. Avoid using the module to upload files other than images until the issue is resolved.