0x5t4l1n/CVE
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/CVE.git synced 2026-05-26 19:26:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Stalin
2026-03-31 12:48:41 +05:30
committed by GitHub
parent 93883675b2
commit 3ee4354df8
1 changed files with 33 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+33 -34
View File
@@ -1,52 +1,51 @@
# CVE-2026-30081 — Security Advisory ![CVE](https://img.shields.io/badge/CVE-2026--29905-red)
# CVE-2026-29905 — Kirby CMS Persistent DoS via Malformed Image Upload
![CVE](https://img.shields.io/badge/CVE-2026--30081-red) ![CWE](https://img.shields.io/badge/CWE--319-Cleartext%20Transmission-orange) ![Severity](https://img.shields.io/badge/Severity-HIGH-critical) > CVE-2026-29905 has been officially published by MITRE.
> CVE-2026-30081 has been officially published by MITRE. ## Overview
A authenticated user with **Editor** permissions can upload a malformed file with an image extension to cause a persistent Denial of Service in Kirby CMS.
**CVE ID:** CVE-2026-29905
**Affected Version:** Kirby CMS ≤ 5.1.4
**Fixed In:** Kirby CMS 5.2.0-rc.1
**Severity:** Medium
**CWE:** CWE-252 (Unchecked Return Value), CWE-20 (Improper Input Validation)
--- ---
## Vulnerability Overview ## Description
| Field | Value | Kirby processes uploaded image files using PHP's `getimagesize()` function without validating its return value. When a malformed file is uploaded with a valid image extension (e.g. `.jpg`), `getimagesize()` returns `false` instead of an array. The application then triggers a fatal `TypeError` during thumbnail generation or metadata processing.
| :--------------- | :---------------------------------------------------------- |
| **CVE ID** | CVE-2026-30081 | The crash persists across page reloads until the file is manually removed from the filesystem.
| **CWE** | CWE-319: Cleartext Transmission of Sensitive Information |
| **Device Model** | QN-I-470 |
| **Firmware** | 6.1.1.B1 |
| **Severity** | HIGH |
| **Vendor** | Quantum Networks |
--- ---
## Vulnerability Description ## Impact
The administrative web interface of the affected Quantum Networks router (QN-I-470, firmware 6.1.1.B1) transmits authentication credentials in cleartext over the network. - Any Editor-role user (non-admin) can trigger the DoS condition.
- Affected pages return HTTP 500 until the file is removed manually.
When an administrator authenticates to the web-based management interface over HTTP, the supplied username and password are sent without any transport-layer encryption. As a result, an adjacent network attacker with access to the same broadcast domain can passively intercept network traffic and recover valid administrative credentials.
Successful credential disclosure enables complete compromise of the affected device.
--- ---
## Impact ## Fix
An attacker capable of intercepting network traffic on the same local network can:
- Obtain valid administrative credentials
- Gain full administrative control over the affected router
- Modify critical network configuration, including routing, DNS, and firewall settings
- Perform traffic interception, redirection, or manipulation
- Establish persistent or stealthy access to the network infrastructure
> Given that the affected device functions as a network gateway, successful exploitation may enable network-wide attacks against connected systems, significantly increasing the overall impact.
Patched in [Kirby CMS 5.2.0-rc.1](https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1).
--- ---
# References
## References - [CVE-2026-29905 on cve.org](https://www.cve.org/CVERecord?id=CVE-2026-29905)
- [CVE-2026-29905 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-29905)
1. [OWASP Top 10 — A02:2021 Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) - [GHSA-cw7v-45wm-mcf2](https://github.com/advisories/GHSA-cw7v-45wm-mcf2)
2. [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html) - [PoC Stalin-143/CVE-2026-29905](https://github.com/Stalin-143/CVE-2026-29905)
- [Kirby CMS 5.2.0-rc.1 Release](https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1)
- [Supporting Document (Google Drive)](https://drive.google.com/file/d/1MwvvSYIwnC8kOIzjycGMQZw4d2K2ef8h/view?usp=sharing)
--- ---
## Discoverer
**Stalin S** ([@Stalin-143](https://github.com/Stalin-143))