Kirby
CVE-2023-38492
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities.
Kirby's authentication endpoint did not limit the password length. This allowed attackers to provide a password with a length up to the server's maximum request body length. Validating that password against the user's actual password requires hashing the provided password, which requires more CPU and memory resources (and therefore processing time) the longer the provided password gets. This could be abused by an attacker to cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force protection, the impact of this vulnerability is limited to 10 failed logins from each IP address and 10 failed logins for each existing user per hour.
The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have added password length limits in the affected code so that passwords longer than 1000 bytes are immediately blocked, both when setting a password and when logging in.
AnalysisAI
Kirby is a content management system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities. Kirby's authentication endpoint did not limit the password length. This allowed attackers to provide a password with a length up to the server's maximum request body length. Validating that password against the user's actual password requires hashing the provided password, which requires more CPU and memory resources (and therefore processing time) the longer the provided password gets. This could be abused by an attacker to cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force protection, the impact of this vulnerability is limited to 10 failed logins from each IP address and 10 failed logins for each existing user per hour. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have added password length limits in the affected code so that passwords longer than 1000 bytes are immediately blocked, both when setting a password and when logging in. Affected products include: Getkirby Kirby. Version information: prior to 3.5.8.3.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Set resource limits, implement rate limiting, validate input sizes.
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbit
An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. Rated high severity (CVSS
Kirby is an open-source content management system. Rated medium severity (CVSS 6.3), this vulnerability is remotely expl
A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers
panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. Rated medium severity (CVSS
Kirby is a content management system. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, n
Kirby is an open source CMS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack co
panel/login in Kirby v2.5.12 allows XSS via a blog name. Rated medium severity (CVSS 5.4), this vulnerability is remotel
Kirby is a CMS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. T
Kirby is a content management system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at
Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file. Rated medium severity (CVSS 4.8), t
Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter. Rated medium severi
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today