🚨 Security
User enumeration in the code-based login and password reset forms
Severity: medium (CVSS score 4.8)
Errors that occur during the processing of the code-based login and password reset were in some cases passed to the user. This includes errors of the code challenge itself (e.g. if the email could not be sent) and errors thrown inside the user.login:failed hook.
This vulnerability allowed user enumeration, which is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.
This vulnerability only affects you if you are using the code or password-reset auth method with the auth.methods option. It can only be successfully exploited under server configuration conditions outside of the attacker's control.
Thanks to Florian Merz (@florianmrz) of hatchery.io for responsibly reporting the identified issue.
User enumeration in the brute force protection
Severity: medium (CVSS score 6.5)
We used the opportunity to review other parts of Kirby's authentication handling and found another part that is affected by a similar user enumeration vulnerability caused by a response discrepancy in Kirby's brute force protection system.
This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.
✨ Enhancements
- UUIDs can be disabled locally via
content.uuidoption #4755 - Improved version information of plugins installed with Composer #4733
F::load()andF::loadOnce()now guard against unintended output when passing a new 4th parameter$allowOutputasfalse#4656- Fatal errors are written to PHP error log #4775
A::merge($array1, $array2, $array3, A::MERGE_APPEND)now supports to merge more than 2 arrays #4675- Upgraded dependencies
🐛 Bug Fixes
- System view: console message about accessible folders/files issues fixed #4774
- Panel lock requests happen silent again (without triggering the loading indicator) #4770
- Fixed visual glitch for Panel text inputs with Chrome autofill #4767
- Corrected picker fields
storeprop description #4780 go($site->homePage())redirects to absolute URLs again. #4781- Fixed generating a
uuidvalue for models when thecontent.uuidoption is disabled #4787
♻️ Refactoring
- Removed else statements to improve code readability #4773