CVE-2022-39315

MEDIUM

Kirby < 3.5.8.2 - Error Information Exposure

Title source: rule

Description

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.

References (5)

[Release Notes, Third Party Advisory] https://github.com/getkirby/kirby/releases/tag/3.5.8.2

[Release Notes, Third Party Advisory] https://github.com/getkirby/kirby/releases/tag/3.6.6.2

[Release Notes, Third Party Advisory] https://github.com/getkirby/kirby/releases/tag/3.7.5.1

[Release Notes, Third Party Advisory] https://github.com/getkirby/kirby/releases/tag/3.8.1

[Third Party Advisory] https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f

Scores

CVSS v3 6.5

EPSS 0.0046

EPSS Percentile 64.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-209 CWE-204

Status published

Products (3)

getkirby/cms 0 - 3.5.8.2Packagist

getkirby/kirby 3.8.0 (4 CPE variants)

getkirby/kirby < 3.5.8.2

Published Oct 25, 2022

Tracked Since Feb 18, 2026