CVE-2022-39315
published 2022-10-25CVE-2022-39315: Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.58%
43.5th percentile
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 3.5.8.2 | 3.5.8.2 |
| getkirby | cms | >= 3.6.0 < 3.6.6.2 | 3.6.6.2 |
| getkirby | cms | >= 3.7.0 < 3.7.5.1 | 3.7.5.1 |
| getkirby | cms | >= 3.8.0 < 3.8.1 | 3.8.1 |
| getkirby | kirby | < 3.5.8.2 | 3.5.8.2 |
| getkirby | kirby | — | — |
| getkirby | kirby | — | — |
| getkirby | kirby | — | — |
| getkirby | kirby | — | — |
| getkirby | kirby | >= 3.6.0 < 3.6.6.2 | 3.6.6.2 |
| getkirby | kirby | >= 3.7.0 < 3.7.5.1 | 3.7.5.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Kirby CMS vulnerable to user enumeration in the brute force protection
ghsa·2022-10-18
CVE-2022-39315 [MEDIUM] CWE-204 Kirby CMS vulnerable to user enumeration in the brute force protection
Kirby CMS vulnerable to user enumeration in the brute force protection
### TL;DR
This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.
----
### Introduction
User enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.
User enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differen
OSV
Kirby CMS vulnerable to user enumeration in the brute force protection
osv·2022-10-18
CVE-2022-39315 [MEDIUM] Kirby CMS vulnerable to user enumeration in the brute force protection
Kirby CMS vulnerable to user enumeration in the brute force protection
### TL;DR
This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.
----
### Introduction
User enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.
User enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differen
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/getkirby/kirby/releases/tag/3.5.8.2https://github.com/getkirby/kirby/releases/tag/3.6.6.2https://github.com/getkirby/kirby/releases/tag/3.7.5.1https://github.com/getkirby/kirby/releases/tag/3.8.1https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4fhttps://github.com/getkirby/kirby/releases/tag/3.5.8.2https://github.com/getkirby/kirby/releases/tag/3.6.6.2https://github.com/getkirby/kirby/releases/tag/3.7.5.1https://github.com/getkirby/kirby/releases/tag/3.8.1https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f
2022-10-25
Published