Weak Password Implimentation in kiwitcms/kiwi

Valid

Reported on

Dec 2nd 2022


Description: We can change the password with just 1 character when we use change password function.

Proof of Concept When you change password, just press any character and then submit. You will see "Your password has been changed".

Impact

When users change password to a simple password (with any character or symbol), attacker can easily guess user password and access account.

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. a month ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back a month ago
spyata
a month ago

Researcher


Hi @Admin, can i have an update on this?

spyata
a month ago

Researcher


@admin, can i have an update?

kiwitcms/kiwi maintainer validated this vulnerability 8 days ago
spyata has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kiwitcms/kiwi maintainer
8 days ago

Maintainer


Fixed in https://github.com/kiwitcms/Kiwi/pull/3025. Will be released in v11.7 in a few days.

Advisory: https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-496x-2jqf-hp7g (will become public in a few days, when v11.7 is published).

FTR we're planning on fixing a couple more issues in the same version before releasing it.

kiwitcms/kiwi maintainer
8 days ago

Maintainer


@admin - I am not able to mark this as fixed. The button under the comment field seems disabled when I try "Mark as fixed"

kiwitcms/kiwi maintainer marked this as fixed in 11.7 with commit 802ee5 4 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
kiwitcms/kiwi maintainer published this vulnerability 4 days ago
to join this conversation