No rate limiting on the reset password page will lead to a DOS attack and inbox flooding for any user in kiwitcms/kiwi


Reported on

Nov 24th 2022


I can use this attack to take advantage of the reset password confirmation mechanism and send a large number of emails to anyone simply because I know his email address, as well as perform a DoS attack by draining the resources of the SMTP service and the web server.

Proof of Concept

// PoC.js!AjTDEH9wRz1ugRE6IG1N-CHkvXml?e=mhTsF6


I can deny service, and the server will drain the SMTP resources and flood the email inboxes of any user for whom I have his email, and all of his email will be sent from the site, destroying the company's reputation.


Set a limit of number of messages sent per minute.

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. 4 months ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back 4 months ago
4 months ago


@admin Any update?

3 months ago


@admin Any updates?

2 months ago


No update, feel free to reach out via other channels

kiwitcms/kiwi maintainer validated this vulnerability a month ago
Ahmed Rabeaa Mosaa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kiwitcms/kiwi maintainer marked this as fixed in 12.0 with commit 761305 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 20th 2023 has been validated
a month ago


Can you assignee a CVE

kiwitcms/kiwi maintainer published this vulnerability a month ago
to join this conversation