3.6.6.6

🚨 Security

Insufficient permission checks in the language settings

Severity: high (CVSS score 8.1)

Kirby's frontend and backend code did not enforce the existing languages.create and languages.delete permissions.

The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.

This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.

If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.

Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.

---

Important note: This release marks the end of security support for Kirby 3.6. This version of Kirby has now reached its end of life and will no longer receive any updates whatsoever, including security updates. Please update to a more recent Kirby release to stay secure.

➡️ Read more

5.0.0-alpha.2

Pre-release notes: https://getkirby.com/buzz/v5-alpha

3.10.1

✨ Enhancements

• Update Symfony YAML component to v6 #6161
• Update Composer dependencies

5.0.0-alpha.1

Pre-release notes: https://getkirby.com/buzz/v5-alpha

4.3.0

🎉 Features

• System view: added button to copy relevant system information #6416
• <k-button>: theme supports values suffixed with -icon now, e.g. positive-icon for filled buttons with only the icon colored

<k-button icon="heart" theme="negative-icon" variant="filled">Love</k-button>

✨ Enhancements

• Remove hard-coded restriction of supported servers #6415
• Plugin registration with named arguments #6337 Allow passing plugin info, e.g. version, as argument that gets merged with the info from composer.json

Kirby::plugin(
    name: 'my/plugin',
    extends: [],
    info: [
        'homepage' => 'https://my-plugin.example.com'
    ],
    version: '1.0.0'
);

• The update check in the Panel system view now offers free major updates if included in the activated license #5974
• New icons: text-top, text-middle, text-bottom https://feedback.getkirby.com/592 #6374

• (video: ) KirbyTag: support for disablepictureinpicture attribute #6413
• Editor: new insertNode util #6383
• CSS data-theme with color names #6407
• New download prop for k-link (and respective k-button when passing a link) to set the download attribute #6417
• Page section: Show Add button also in sections only showing listed/unlisted pages when all allowed blueprints create new child pages directly as listed/unlisted https://feedback.getkirby.com/181
• Dropdown options can emit global Panel events on click now, which can be used e.g. when extending setting dropdowns in a plugin to react in JS with an action when option is clicked https://feedback.getkirby.com/638 #6411
• Panel notifications support theme prop #6423
• New window.panel.notification.info(message). #6423
• Upload dialog: better preview icons and separate components for upload items and a single upload item #6424
• QrCode class: methods accept new $border argument #6445 (thanks @rasteiner)
• Added lab examples for k-login and k-login-code. #6365
• Updated PR template #6464

🐛 Bug fixes

• Editor: nodeInputRule only overwrites matched selection #6385
• Writer: inline nodes are included when inline: true mode is active #6386
• File create format option is not applied to non-images anymore #6359
• Non existing media files no longer throw error 500: the thumbnail configuration could not be found #6453
• Fix deprecation warning in router #5895
• Panel search fixed when UUIDs are disabled (thanks to @toebu) #6395
• Fixes Title and Link text translations for the different usages: #6402
  • Writer field email dialog hasTitle field
  • Textarea field email dialog has Link text field
• File upload: fix sort number #6380
• Fix tab badges #6427
• CalendarInput: fix when no value #6422
• DateInput: fix clearing #6392
• Upload dialog: allows @, . and _ in filenames to be consistent with other filename rules #6462
• $file->changeName() now sanitizes new filenames with. included correctly #6462
• Fix line break when label in block preview fields is too long (thanks @tobimori) #6452

☠️ Deprecated

• Plugin registration: Passing info or root in plugin extends array. Instead pass these as standalone named arguments.
• <k-login> is deprecated. Use <k-login-form> instead.
• <k-login-code> is deprecated. Use <k-login-code-form> instead.

♻️ Refactored

• Reusing link and button props in higher-up components #6417
• Introduce new App::currentLanguage() method #6434
• Refactor App::language() to introduce new current option which creates a more predicatable way to
  fetch languages in content, translation and future version methods. #6434
• Clean up of components code for k-login and k-login-code. #6365
• Moved all login-related Vue components into same location #6463
• Aligned some of the component names #6463

🧹 Housekeeping

• Upgrade to eslint 9 #6396
• Used Rector to improve code quality. #6431

4.2.0

🎉 Features

• New api option for Sections to define API endpoints just like for fields #6246

✨ Enhancements

• Added option to change the number of threads for the ImageMagick driver (thanks to @caplod) #6210

<?php

return [
  'thumbs' => [
    'driver' => 'im',
    'threads' => 2
  ]
];

• Video block now also supports local videos by default #6113
• Significantly improved file sorting performance (thanks @rasteiner) #6112
• The login form can now be prefilled for testing use cases with the new value prop of the k-login-view component #6364
• Lab: $helpers docs #6257 #6287
• Improved Panel favicons for dark mode, including media attribute support for custom Panel favicons #5657
• Updated icons: expand, collapse, divider and chart
• Support non string scalar values in where clause builder for 2 arguments (thanks @SeriousKen) #6291
• Add native validity to range input #6253
• Added native validity to calendar, date, time, timoptions inputs #6254
• Enhanced options for database table creation: #6303
  • Adds unsigned option for integers. Defaults to true to maintain backwards compatibility.
  • Adds size option for varchars. Defaults to 255 to maintain backwards compatibility.
  • Adds float type to create a floating point columns.
  • Adds decimal type to create decimal columns with precision and decimal_places options. The new features are aimed at MySQL and are ignored in SQLite as they are not supported. Float and decimal both map to REAL columns in SQLite.
• Improve k-user-avatar #6325
• Translatable panel menu titles #6311
• Allow unknown file extensions to be selected in file open dialog (thanks to @rasteiner) #6263
• Added pagination to the file browser in the link field #6288
• Date and time field interpret a few more input formats correctly #6362
• Table layout: allow modifying default columns #6335

🐛 Bug fixes

• A::prepend() now behaves the same as A::append() (just opposite side) for non-associative arrays #6219
• Translatable range tooltip #6221
• Disabled inputs don't show placeholders anymore #6163
• Choice inputs have similar disabled styling as other fields
• alpha and hue inputs: setting custom min and max props would break the inputs. Those props aren't falsely exposed anymore. #6251
• colorname input: props that were falsely exposed are now correctly unset #6255
• search input: props that were falsely exposed are now correctly unset #6256
• Fixed fallback null value for Text\KirbyTag::parent() #6220
• Fixed upgrade status for PHP version strings with extra information (thanks @SeriousKen) #6262
• Database\Query: Fixed using BETWEEN or NOT BETWEEN in →where() clause (thanks @SeriousKen) #6292
• Database: Fixed handling of boolean values in prepared statements (thanks @SeriousKen) #6297
• Fix for Date::round() not taking timezone into account properly (thanks @SeriousKen) #6264
• Fix header offset when no sticky header #6283
• Fix k-tabs inline variable assignment #6324
• Writer field counter correctly strips HTML again #6323
• Keep title and slug when switching template in create dialog #6328
• Panel fields: fix direction for content language #6350
• Tags input: when creating a new tag, the input is now correctly split at the separator into multiple tags #6341
• Fix blocks styling inside layout column #6280
• Fixed page create dialog when used with pages section on user/file blueprint #6190
• Close all nested drawers when navigating #6274
• Object field: inline previews are not editable anymore when the subfield is disabled #6346
• Fix toggle field preview value error #6249
• Table: fix width for image and flag column on mobile #6228

♻️ Refactored

• Slight performance improvements for Dir::inventory() #6218
• Clean up Cms\Blueprint class #6206
• Fix v-bind order #6333
• Use mounted lifecycle hooks instead of created #6336

🧹 Housekeeping

• Unit tests: properly resetting error handlers (thanks to @SeriousKen) #6259
• Upgraded Psalm
• Added performance tests for Dir::inventory() with various number of page models #6218
• Added more explicit coverage annotations to Options, Query, Text and partially Toolkit packages tests, including additional tests for uncovered code #6220
• Lab: added GitHub source links for all helpers, libraries and CSS examples #6295
• Removed Lab\Example::github() linking to lab example file #6295

4.1.2

🐛 Bug fixes

• Don’t throw an exception in the permalinksToUrlsmethod if a model for a UUID cannot be found #6165
• Don't redeclare the dump helper if it already exists. This fixes Kirby for Herd Pro users and other cases where dump is already defined by the environment #6250
• Fix emoji overflow issue in k-icon-frame #6315
• Fix commands for custom textarea buttons #6039
• More stability for the toFiles method by checking for valid file IDs #6318
• Suppress warnings in the Remote class if system CA is outside of open_basedir #6316
• Fix tables in the object field and license dialog #6307 and partially #6228

4.1.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

---

✨ Enhancements

• New $file->sharpen() method for images #6227

---

🐛 Bug fixes

• Fixed Str::excerpt() for texts without spaces #6215
• Proper error message when a MIME type of a file is being validated but could not be determined from the file  #6095
• k-button-group wrap with long label line. #6231
• "Invalid Date" parsing dates in pages section with layout: table #6234
• Disable license dialog in demo mode #6271
• Emojis are now working in buttons and the k-icon component #6276

---

🧹 Housekeeping

• Prettier is used properly in CI (and Highlight.vue is properly ignored) #6270
• Remove reviewdog tool from CI to reduce complexity #6290
• Upgrade GitHub workflow actions #6272

3.10.0.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more

3.9.8.1

🚨 Security release

This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:

• Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
• Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
• Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)

Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.

Updated docs on the Markdown safe mode

During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.

The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript: links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.

The documentation on the safe mode contained a wrong code example that used an invalid safeMode option instead of the correct safe option. This has now been corrected. If you already use the safe mode, please check your code.

➡️ Read more