Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-39315

Good to know:

icon

Date: October 25, 2022

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.

Language: PHP

Severity Score

Related Resources (9)

https://github.com/getkirby/kirby/releases/tag/3.6.6.2
https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f
https://github.com/getkirby/kirby/releases/tag/3.8.1
https://github.com/getkirby/kirby/releases/tag/3.5.8.2
https://github.com/advisories/GHSA-c27j-76xg-6x4f
https://github.com/getkirby/kirby/releases/tag/3.7.5.1
https://nvd.nist.gov/vuln/detail/CVE-2022-39315
https://github.com/getkirby/kirby/commit/13ee5775316fe11ff6ded735c1a31e763c3ef1f4
https://www.mend.io/vulnerability-database/CVE-2022-39315

Severity Score

Weakness Type (CWE)

Exposure of Resource to Wrong Sphere

CWE-668

Generation of Error Message Containing Sensitive Information

CWE-209

Top Fix

icon

Upgrade Version

Upgrade to version 3.5.8.2,3.6.6.2,3.7.5.1,3.8.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us