CVE-2024-26483

Vulnerability

Overview

CVE-2024-26483 affects Kirby CMS versions prior to 4.1.1, specifically the Profile Image module. The backend fails to validate file extensions or MIME types of uploaded avatar images, allowing authenticated Panel users to upload files with non-image extensions such as PDF. While dangerous file types like HTML or PHP are blocked, the upload mechanism does not enforce that the file is an actual image [1][2].

Exploitation

The attack requires an authenticated user with Panel access. The user can upload a crafted file via their own account's avatar upload feature. The file is stored with the filename profile and the attacker-provided extension, making it accessible via a direct URL. This attack cannot be automated and requires user interaction (the attacker must be a logged-in user) [2].

Impact

Although the advisory states the vulnerability does not directly enable remote code execution (RCE), it allows uploading unexpected file types (e.g., PDFs) that can then be shared with other users. This could be abused for cross-site scripting (XSS) if the uploaded file contains malicious JavaScript that executes in a victim's browser when the file is accessed or processed [2].

Mitigation

The vulnerability has been patched in Kirby versions 3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, and 4.1.1. The fix adds validation to reject any file that does not have an image file extension or MIME type. All users should update to one of these patched versions immediately [2].