CVE-2023-25171
HIGHKiwitcms Kiwi Tcms < 12.0 - Resource Allocation Without Limits
Title source: ruleDescription
Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may strain SMTP resources. Users should upgrade to v12.0 or later to receive a patch. As potential workarounds, users may install and configure a rate-limiting proxy in front of Kiwi TCMS and/or configure rate limits on their email server when possible.
References (4)
Core 4
Core References
Permissions Required
https://huntr.dev/bounties/3b712cb6-3fa3-4f71-8562-7a7016c6262e
Scores
CVSS v3
7.5
EPSS
0.0077
EPSS Percentile
73.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
kiwitcms/kiwi_tcms
< 12.0
pypi/kiwitcms
0 - 12.0PyPI
Published
Feb 15, 2023
Tracked Since
Feb 18, 2026