CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
61.1%
getkirby/cms is vulnerable to Denial of Service. The vulnerability exists in the validatePassword
function in User.php
because it does not limit the password length, which can cause CPU and memory resource exhaustion when hashing if the attacker submits a password thats the the max size of a request body, allowing a remote attacker to cause an application slowdown.
github.com/getkirby/kirby/commit/0e10ce3b0c2b88656564b8ff518ddc99136ac43e
github.com/getkirby/kirby/commit/771d25eca9335c5034a09a34bf623779f5b22db2
github.com/getkirby/kirby/commit/c52bd9a5a0981de5a9ffe38b96cb98de727ee42d
github.com/getkirby/kirby/commit/d352237d2cc00f5da64d18e4011dbaf2df5973ae
github.com/getkirby/kirby/commit/eda64bc22a4d68b5e5a21315909c87c9a513fc37
github.com/getkirby/kirby/releases/tag/3.5.8.3
github.com/getkirby/kirby/releases/tag/3.6.6.3
github.com/getkirby/kirby/releases/tag/3.7.5.2
github.com/getkirby/kirby/releases/tag/3.8.4.1
github.com/getkirby/kirby/releases/tag/3.9.6
github.com/getkirby/kirby/security/advisories/GHSA-3v6j-v3qc-cxff