Home > Vulnerability Database > CVE-2022-39315

Mend.io Vulnerability Database

CVE-2022-39315

Date: October 24, 2022

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.

Language: PHP

Severity Score

6.5

Related Resources (8)

Url: https://github.com/getkirby/kirby/releases/tag/3.6.6.2

Url: https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f

Url: https://github.com/getkirby/kirby

Url: https://github.com/getkirby/kirby/releases/tag/3.8.1

Url: https://github.com/getkirby/kirby/releases/tag/3.5.8.2

Url: https://github.com/getkirby/kirby/releases/tag/3.7.5.1

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39315

Url: https://www.mend.io/vulnerability-database/CVE-2022-39315

Severity Score

6.5

Weakness Type (CWE)

Exposure of Resource to Wrong Sphere

CWE-668

Observable Response Discrepancy

CWE-204

Generation of Error Message Containing Sensitive Information

CWE-209

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39315

Date: October 24, 2022

Language: PHP

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?