Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-25156: No protection against brute-force attacks on login page

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and configure a rate-limiting proxy in front of Kiwi TCMS.

CVE
Open in Source
#nginx

High

atodorov published GHSA-7968-h4m4-ghm9

Feb 15, 2023

Package

Kiwi TCMS

Affected versions

<=11.7

Patched versions

12.0

Description

Impact

Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page.

Patches

Users should upgrade to v12.0 or later.

Workarounds

Users may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx.

References

Disclosed by spyata

Severity

High

7.0

/ 10

CVSS base metrics

Attack vector

Physical

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-25156

Weaknesses

CWE-770

Related news

GHSA-7968-h4m4-ghm9: No protection against brute-force attacks on login page

### Impact Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page. ### Patches Users should upgrade to v12.0 or later. ### Workarounds Users may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx. ### References [Disclosed by spyata](https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE