Skip to main content

Kiwi Tcms CVE-2023-25171

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2023-02-15 security-advisories@github.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 15, 2023 - 15:15 nvd
MEDIUM 5.9

DescriptionNVD

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may strain SMTP resources. Users should upgrade to v12.0 or later to receive a patch. As potential workarounds, users may install and configure a rate-limiting proxy in front of Kiwi TCMS and/or configure rate limits on their email server when possible.

AnalysisAI

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Technical ContextAI

This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may strain SMTP resources. Users should upgrade to v12.0 or later to receive a patch. As potential workarounds, users may install and configure a rate-limiting proxy in front of Kiwi TCMS and/or configure rate limits on their email server when possible. Affected products include: Kiwitcms Kiwi Tcms. Version information: prior to 12.0..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Set resource limits, implement rate limiting, validate input sizes.

CVE-2023-30613 CRITICAL POC
9.0 Apr 24

Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. Rat

CVE-2023-30628 HIGH POC
8.8 Apr 24

Kiwi TCMS is an open source test management system. Rated high severity (CVSS 8.8), this vulnerability is remotely explo

CVE-2023-25156 CRITICAL
9.8 Feb 15

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. Rated critical

CVE-2023-36809 MEDIUM POC
5.4 Jul 05

Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Rate

CVE-2023-33977 MEDIUM POC
5.4 Jun 06

Kiwi TCMS is an open source test management system for both manual and automated testing. Rated medium severity (CVSS 5.

CVE-2022-4105 MEDIUM POC
5.4 Nov 21

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a

CVE-2023-22451 HIGH
8.8 Jan 02

Kiwi TCMS is an open source test management system. Rated high severity (CVSS 8.8), this vulnerability is remotely explo

CVE-2023-32686 MEDIUM
5.4 May 27

Kiwi TCMS is an open source test management system for both manual and automated testing. Rated medium severity (CVSS 5.

CVE-2023-27489 MEDIUM
5.4 Mar 29

Kiwi TCMS is an open source test management system for both manual and automated testing. Rated medium severity (CVSS 5.

CVE-2023-30544 MEDIUM
4.3 Apr 24

Kiwi TCMS is an open source test management system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exp

Share

CVE-2023-25171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy