🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.