CVE-2022-39314

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 3.5.8.2 Kirby versions prior to 3.6.6.2 Kirby versions prior to 3.7.5.1 Kirby versions prior to 3.8.1

Description The issue affects Kirby, a flat-file CMS, due to Improper Restriction of Excessive Authentication Attempts, allowing user enumeration. This occurs when using the code or password-reset auth method with the auth.methods option or when the debug option is enabled in production. By utilizing multiple IP addresses and login attempts, an attacker can determine valid user accounts, as they will lock, while invalid accounts will not. The vulnerability can be exploited to gather information for social engineering attacks or to determine the organizational structure of a company.

Recommendations For versions prior to 3.5.8.2, update to version 3.5.8.2 or later. For versions prior to 3.6.6.2, update to version 3.6.6.2 or later. For versions prior to 3.7.5.1, update to version 3.7.5.1 or later. For versions prior to 3.8.1, update to version 3.8.1 or later. As a temporary workaround, consider setting the auth.methods option to password to disable code-based login and password reset forms.