Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7968-h4m4-ghm9: No protection against brute-force attacks on login page

Impact

Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page.

Patches

Users should upgrade to v12.0 or later.

Workarounds

Users may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx.

References

Disclosed by spyata

ghsa
Open in Source
#git#nginx

No protection against brute-force attacks on login page

High severity GitHub Reviewed Published Feb 15, 2023 in kiwitcms/Kiwi • Updated Feb 15, 2023

Related news

CVE-2023-25156: No protection against brute-force attacks on login page

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and configure a rate-limiting proxy in front of Kiwi TCMS.

ghsa: Latest News

GHSA-j4rc-96xj-gvqc: phpMyFAQ: Public API endpoints expose emails and invisible questions
ghsa