CVE-2023-30544

low-risk
Published 2023-04-24

Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist.

Do I need to act?

-
0.53% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.9/10 Low
LOCAL / LOW complexity

Affected Products (1)

Kiwi Tcms

Affected Vendors

Kiwitcms

References (7)

Vendor Advisory https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
Permissions Required https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/
Release Notes https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
Vendor Advisory https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
Permissions Required https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/
Release Notes https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
https://huntr.com/bounties/1714df73-e639-4d64-ab25-ced82dad9f85
21
/ 100
low-risk
Severity 14/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal