Weak password requirements in Kiwi TCMS
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-22451 |
| CWE-ID | CWE-521 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Kiwi Other software / Other software solutions |
| Vendor | Kiwi TCMS |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Weak password requirements
EUVDB-ID: #VU70717
Risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-22451
CWE-ID:
CWE-521 - Weak Password Requirements
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform brute-force attack and guess the password.
The vulnerability exists due to weak password requirements when register new accounts and/or change passwords. An authenticated attacker with physical access can perform a brute-force attack and guess users' passwords.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKiwi: 11.0 - 11.6
External linkshttp://huntr.dev/bounties/32a873c8-f605-4aae-9272-d80985ef2b73
http://github.com/kiwitcms/Kiwi/commit/3759fb68aed36315cdde9fc573b2fe7c11544985
http://github.com/kiwitcms/Kiwi/security/advisories/GHSA-496x-2jqf-hp7g
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
