Security announcement

lukasbestle · August 20, 2022, 12:50pm

We have been made aware of a security issue affecting Kirby versions 3.5.7 to 3.7.3 using the tags field.

We are currently working on security patches for all affected versions (3.5, 3.6 and 3.7). We plan to release the patches as soon as possible (by mid next week).

Usually we would not talk openly about a security issue that has not yet been patched, however the issue was already made public (e.g. with a YouTube video) by a third party who unfortunately did not notify us about the issue to this date. Because the issue is already public, we decided it is better to openly inform you as well.

Any critical setups where untrusted users can modify a tags field should consider to deactivate all tags fields until the patch is released. This can be done by commenting out the tags field in your site’s blueprints. Please act responsibly, you all know your setups the best and can assess the concrete risk.

mrfreedom · August 20, 2022, 2:06pm

Good thing is that there is no way for intruders to discover that website is built on Kirby unless publicly announced.

Although, if I understand you correctly, this security issue is only a problem if some malicious user has access to the panel, and there is a tags field somewhere in the panel?

lukasbestle · August 20, 2022, 2:13pm

Yes. Panel and/or a frontend form that creates or modifies content that is also accessible from the Panel.

Topic		Replies	Views
Kirby 3 & 4 Security Releases Releases 🚀	4	279	March 16, 2024
Kirby 2.5.7 — Important Security Release	3	928	November 13, 2017
Security releases – Kirby 3.5.8.1, 3.6.6.1 and 3.7.4 Releases 🚀	14	847	August 30, 2022
Kirby 3.3.6 - security release Releases 🚀	2	570	May 29, 2020
Security releases (language permissions) for Kirby 3 & 4 Releases 🚀	1	66	August 29, 2024

Security announcement

Related topics