Kiwi Tcms · Kiwi Tcms · CVE-2023-25171
**Name of the Vulnerable Software and Affected Versions**
Kiwi TCMS versions prior to 12.0
**Description**
The issue allows for easier denial-of-service attacks against the Password reset page due to the lack of rate limits. An attacker could send a large number of emails if they know the email addresses of users in Kiwi TCMS, potentially straining SMTP resources.
**Recommendations**
For versions prior to 12.0, upgrade to v12.0 or later to receive a patch.
As a temporary workaround, consider installing and configuring a rate-limiting proxy in front of Kiwi TCMS.
Additionally, configure rate limits on the email server when possible to minimize the risk of exploitation.