Skip to content

No protection against brute-force attacks on login page

High
atodorov published GHSA-7968-h4m4-ghm9 Feb 15, 2023

Package

Kiwi TCMS

Affected versions

<=11.7

Patched versions

12.0

Description

Impact

Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page.

Patches

Users should upgrade to v12.0 or later.

Workarounds

Users may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx.

References

Disclosed by spyata

Severity

High
7.0
/ 10

CVSS base metrics

Attack vector
Physical
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-25156

Weaknesses