CVE-2023-25156 — No protection against brute-force attacks on login page

Description

### Impact Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page. ### Patches Users should upgrade to v12.0 or later. ### Workarounds Users may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx. ### References [Disclosed by spyata](https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/)

How to fix CVE-2023-25156

To remediate CVE-2023-25156, upgrade the affected package to a fixed version below.

—upgrade to 12.0 or later

Is CVE-2023-25156 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-25156
PATCHgithub.com/kiwitcms/Kiwi
WEBgithub.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
WEBgithub.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9