Weak Password Implimentation in kiwitcms/kiwi

Valid

Reported on

Dec 2nd 2022

Description: We can change the password with just 1 character when we use change password function.

Proof of Concept When you change password, just press any character and then submit. You will see "Your password has been changed".

Impact

When users change password to a simple password (with any character or symbol), attacker can easily guess user password and access account.

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. a year ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back a year ago
spyata
a year ago

Researcher

Hi @Admin, can i have an update on this?

spyata
a year ago

Researcher

@admin, can i have an update?

kiwitcms/kiwi maintainer validated this vulnerability a year ago
spyata has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kiwitcms/kiwi maintainer
a year ago

Maintainer

Fixed in https://github.com/kiwitcms/Kiwi/pull/3025. Will be released in v11.7 in a few days.

Advisory: https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-496x-2jqf-hp7g (will become public in a few days, when v11.7 is published).

FTR we're planning on fixing a couple more issues in the same version before releasing it.

kiwitcms/kiwi maintainer
a year ago

Maintainer

@admin - I am not able to mark this as fixed. The button under the comment field seems disabled when I try "Mark as fixed"

kiwitcms/kiwi maintainer marked this as fixed in 11.7 with commit 802ee5 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
kiwitcms/kiwi maintainer published this vulnerability a year ago
to join this conversation