CVE-2022-39315

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 3.5.8.2 Kirby versions prior to 3.6.6.2 Kirby versions prior to 3.7.5.1 Kirby versions prior to 3.8.1

Description The issue affects Kirby sites with user accounts, unless the API and Panel are disabled in the config. It allows attackers to confirm which users are registered in a Kirby installation through user enumeration, which can be used for social engineering attacks or to determine the organizational structure of a company. The vulnerability can only be exploited for targeted attacks because it does not scale to brute force due to the delay during the first 10 requests per user and the faint difference between responses for valid and invalid users.

Recommendations For versions prior to 3.5.8.2, update to Kirby 3.5.8.2 or a later version. For versions prior to 3.6.6.2, update to Kirby 3.6.6.2 or a later version. For versions prior to 3.7.5.1, update to Kirby 3.7.5.1 or a later version. For versions prior to 3.8.1, update to Kirby 3.8.1 or a later version. As a temporary workaround, consider disabling the API and Panel in the config to prevent exploitation.