Vulnerabilities > CVE-2023-25156 - Improper Restriction of Excessive Authentication Attempts vulnerability in Kiwitcms Kiwi Tcms
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and configure a rate-limiting proxy in front of Kiwi TCMS.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
- https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
- https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
- https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
- https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
- https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
- https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
- https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/