CVE-2023-25171

Name of the Vulnerable Software and Affected Versions Kiwi TCMS versions prior to 12.0

Description The issue allows for easier denial-of-service attacks against the Password reset page due to the lack of rate limits. An attacker could send a large number of emails if they know the email addresses of users in Kiwi TCMS, potentially straining SMTP resources.

Recommendations For versions prior to 12.0, upgrade to v12.0 or later to receive a patch. As a temporary workaround, consider installing and configuring a rate-limiting proxy in front of Kiwi TCMS. Additionally, configure rate limits on the email server when possible to minimize the risk of exploitation.