Spyata

**Name of the Vulnerable Software and Affected Versions** Kiwi TCMS versions prior to 12.0 **Description** The issue concerns the lack of rate limits in Kiwi TCMS, making it easier for attackers to attempt brute-force attacks against the login page. **Recommendations** For versions prior to 12.0, upgrade to v12.0 or later to receive a patch. As a temporary workaround, consider installing and configuring a rate-limiting proxy, such as nginx, in front of Kiwi TCMS.

**Name of the Vulnerable Software and Affected Versions** Kiwi TCMS versions 11.6 and prior **Description** Kiwi TCMS is an open source test management system. In versions prior to 11.7, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the `AUTH PASSWORD VALIDATORS` configuration setting. As of version 11.7, the password can’t be too similar to other personal information, must contain at least 10 characters, can’t be a commonly used password, and can’t be entirely numeric. **Recommendations** For Kiwi TCMS versions 11.6 and prior, update to version 11.7 or later to resolve the issue. As a temporary workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen.