Kirby v3.4.5 Release Notes
Release Date: 2020-12-01 // over 3 years ago-
๐ Security release
๐ We've been contacted by the security researcher Thore Imhof of Accenture with a vulnerability report that affects file uploads in Kirby's Panel.
๐ An editor with full access to the Panel can upload a PHP
.pharfile and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a phar file. Visitors without Panel access cannot use this attack vector.๐ We've received this report yesterday and this release will prevent the attack.
โฌ๏ธ We recommend to upgrade your sites to Kirby 3.4.5.
๐ This security release does not introduce any features or other fixes.