CVE-2023-22451

Published: Jan 2, 2023

Modified: Mar 10, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Kiwi TCMS is an open source test management system. In version 11.6 and prior, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the `AUTH_PASSWORD_VALIDATORS` configuration setting. As of version 11.7, the password can’t be too similar to other personal information, must contain at least 10 characters, can’t be a commonly used password, and can’t be entirely numeric. As a workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen.

Vendor	Product	Versions
kiwitcms	Kiwi	affected `<= 11.6`

Weaknesses (CWE)

CWE-521

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-496x-2jqf-hp7g

x_refsource_CONFIRM

https://github.com/kiwitcms/Kiwi/commit/3759fb68aed36315cdde9fc573b2fe7c11544985

x_refsource_MISC

https://huntr.dev/bounties/32a873c8-f605-4aae-9272-d80985ef2b73

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-22451

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References