kiwitcms is vulnerable to Denial Of Service (DoS). The vulnerability exists because the library does not impose rate limits in forms.py
, allowing an attacker to cause an application crash through the password reset page by sending a large number of emails if they know the user email addresses in Kiwi.
github.com/kiwitcms/Kiwi/commit/761305d04f5910ba14cc04d1255a8f1afdbb87f3
github.com/kiwitcms/Kiwi/pull/3068
github.com/kiwitcms/Kiwi/security/advisories/GHSA-7j9h-3jxf-3vrf
huntr.dev/bounties/3b712cb6-3fa3-4f71-8562-7a7016c6262e
huntr.dev/bounties/3b712cb6-3fa3-4f71-8562-7a7016c6262e/
kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/