Florianmrz

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 3.5.8.2 Kirby versions prior to 3.6.6.2 Kirby versions prior to 3.7.5.1 Kirby versions prior to 3.8.1 **Description** The issue affects Kirby, a flat-file CMS, due to Improper Restriction of Excessive Authentication Attempts, allowing user enumeration. This occurs when using the `code` or `password-reset` auth method with the `auth.methods` option or when the `debug` option is enabled in production. By utilizing multiple IP addresses and login attempts, an attacker can determine valid user accounts, as they will lock, while invalid accounts will not. The vulnerability can be exploited to gather information for social engineering attacks or to determine the organizational structure of a company. **Recommendations** For versions prior to 3.5.8.2, update to version 3.5.8.2 or later. For versions prior to 3.6.6.2, update to version 3.6.6.2 or later. For versions prior to 3.7.5.1, update to version 3.7.5.1 or later. For versions prior to 3.8.1, update to version 3.8.1 or later. As a temporary workaround, consider setting the `auth.methods` option to `password` to disable code-based login and password reset forms.