Important Security Update
An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program has reported two vulnerabilities in Kirby 2.1.0 today.
The first vulnerability allows to bypass panel authentication in a hosting environment where users within the same shared environment can save/read files in a directory accessible by both the victim and the attacker.
The second issue allows authenticated users to upload normally disallowed PHP script files via the panel combined with a cross-site scripting attack.
Every Kirby 2 website should be updated immediately to 2.1.1 to fix the vulnerabilities.
You can find detailed instructions on how to update your current installation in our docs.
Download Kirby 2.1.1
For further questions please don't hesitate to send an email at: firstname.lastname@example.org