CVE-2022-39315
moderate-risk
Published 2022-10-25
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.
Do I need to act?
-
0.44% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Vendors
References (10)
Release Notes
https://github.com/getkirby/kirby/releases/tag/3.5.8.2
Release Notes
https://github.com/getkirby/kirby/releases/tag/3.6.6.2
Release Notes
https://github.com/getkirby/kirby/releases/tag/3.7.5.1
Release Notes
https://github.com/getkirby/kirby/releases/tag/3.8.1
Third Party Advisory
https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f
Release Notes
https://github.com/getkirby/kirby/releases/tag/3.5.8.2
Release Notes
https://github.com/getkirby/kirby/releases/tag/3.6.6.2
Release Notes
https://github.com/getkirby/kirby/releases/tag/3.7.5.1
Release Notes
https://github.com/getkirby/kirby/releases/tag/3.8.1
Third Party Advisory
https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f
38
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
2/34 · Minimal
Exposure
12/34 · Low