CVE-2023-22451

Name of the Vulnerable Software and Affected Versions Kiwi TCMS versions 11.6 and prior

Description Kiwi TCMS is an open source test management system. In versions prior to 11.7, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the AUTH PASSWORD VALIDATORS configuration setting. As of version 11.7, the password can’t be too similar to other personal information, must contain at least 10 characters, can’t be a commonly used password, and can’t be entirely numeric.

Recommendations For Kiwi TCMS versions 11.6 and prior, update to version 11.7 or later to resolve the issue. As a temporary workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen.