From 3ee4354df87cb183e9689ec616c170dbe5a6140f Mon Sep 17 00:00:00 2001 From: Stalin <161853795+Stalin-143@users.noreply.github.com> Date: Tue, 31 Mar 2026 12:48:41 +0530 Subject: [PATCH] Update README.md --- README.md | 67 +++++++++++++++++++++++++++---------------------------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index e077843..f2c4310 100644 --- a/README.md +++ b/README.md @@ -1,52 +1,51 @@ -# CVE-2026-30081 — Security Advisory +![CVE](https://img.shields.io/badge/CVE-2026--29905-red) +# CVE-2026-29905 — Kirby CMS Persistent DoS via Malformed Image Upload -![CVE](https://img.shields.io/badge/CVE-2026--30081-red) ![CWE](https://img.shields.io/badge/CWE--319-Cleartext%20Transmission-orange) ![Severity](https://img.shields.io/badge/Severity-HIGH-critical) +> CVE-2026-29905 has been officially published by MITRE. -> CVE-2026-30081 has been officially published by MITRE. +## Overview + +A authenticated user with **Editor** permissions can upload a malformed file with an image extension to cause a persistent Denial of Service in Kirby CMS. + +**CVE ID:** CVE-2026-29905 +**Affected Version:** Kirby CMS ≤ 5.1.4 +**Fixed In:** Kirby CMS 5.2.0-rc.1 +**Severity:** Medium +**CWE:** CWE-252 (Unchecked Return Value), CWE-20 (Improper Input Validation) --- -## Vulnerability Overview +## Description -| Field | Value | -| :--------------- | :---------------------------------------------------------- | -| **CVE ID** | CVE-2026-30081 | -| **CWE** | CWE-319: Cleartext Transmission of Sensitive Information | -| **Device Model** | QN-I-470 | -| **Firmware** | 6.1.1.B1 | -| **Severity** | HIGH | -| **Vendor** | Quantum Networks | +Kirby processes uploaded image files using PHP's `getimagesize()` function without validating its return value. When a malformed file is uploaded with a valid image extension (e.g. `.jpg`), `getimagesize()` returns `false` instead of an array. The application then triggers a fatal `TypeError` during thumbnail generation or metadata processing. + +The crash persists across page reloads until the file is manually removed from the filesystem. --- -## Vulnerability Description +## Impact -The administrative web interface of the affected Quantum Networks router (QN-I-470, firmware 6.1.1.B1) transmits authentication credentials in cleartext over the network. - -When an administrator authenticates to the web-based management interface over HTTP, the supplied username and password are sent without any transport-layer encryption. As a result, an adjacent network attacker with access to the same broadcast domain can passively intercept network traffic and recover valid administrative credentials. - -Successful credential disclosure enables complete compromise of the affected device. +- Any Editor-role user (non-admin) can trigger the DoS condition. +- Affected pages return HTTP 500 until the file is removed manually. --- -## Impact - -An attacker capable of intercepting network traffic on the same local network can: - -- Obtain valid administrative credentials -- Gain full administrative control over the affected router -- Modify critical network configuration, including routing, DNS, and firewall settings -- Perform traffic interception, redirection, or manipulation -- Establish persistent or stealthy access to the network infrastructure - -> Given that the affected device functions as a network gateway, successful exploitation may enable network-wide attacks against connected systems, significantly increasing the overall impact. +## Fix +Patched in [Kirby CMS 5.2.0-rc.1](https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1). --- + +# References -## References - -1. [OWASP Top 10 — A02:2021 Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) -2. [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html) - +- [CVE-2026-29905 on cve.org](https://www.cve.org/CVERecord?id=CVE-2026-29905) +- [CVE-2026-29905 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-29905) +- [GHSA-cw7v-45wm-mcf2](https://github.com/advisories/GHSA-cw7v-45wm-mcf2) +- [PoC – Stalin-143/CVE-2026-29905](https://github.com/Stalin-143/CVE-2026-29905) +- [Kirby CMS 5.2.0-rc.1 Release](https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1) +- [Supporting Document (Google Drive)](https://drive.google.com/file/d/1MwvvSYIwnC8kOIzjycGMQZw4d2K2ef8h/view?usp=sharing) + --- +## Discoverer + +**Stalin S** ([@Stalin-143](https://github.com/Stalin-143))