CVE-2023-30544

Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist.

CVSS v3 3.9 LOW

3.9^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.3 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg	Vendor Advisory
https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/	Permissions Required
https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/	Release Notes
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg	Vendor Advisory
https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/	Permissions Required
https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:kiwitcms:kiwi_tcms:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:00

Type	Values Removed	Values Added
References	~~() https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg - Vendor Advisory~~	() https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg - Vendor Advisory
References	~~() https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/ - Permissions Required~~	() https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/ - Permissions Required
References	~~() https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/ - Release Notes~~	() https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/ - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 3.9

Information

Published : 2023-04-24 17:15

Updated : 2024-11-21 08:00

NVD link : CVE-2023-30544

Mitre link : CVE-2023-30544

CVE.ORG link : CVE-2023-30544

JSON object : View

Products Affected

kiwitcms

kiwi_tcms

CWE

CWE-283

Unverified Ownership

CWE-863

Incorrect Authorization

{"id": "CVE-2023-30544", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-04-24T17:15:10.777", "references": [{"url": "https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}, {"url": "https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-283"}, {"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist."}], "lastModified": "2024-11-21T08:00:23.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kiwitcms:kiwi_tcms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54963FF5-B772-4EC5-A2A1-3E98D68369C8", "versionEndExcluding": "12.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}