Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-q7uf-mtr5-sfca
Vulnerability ID VCID-q7uf-mtr5-sfca
Aliases CVE-2023-30544
GHSA-7x6q-3v3m-cwjg
Summary Incorrect Authorization Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist.
Status Published
Exploitability 0.5
Weighted Severity 3.5
Risk 1.8
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-283 Unverified Ownership
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0015 https://api.first.org/data/v1/epss?cve=CVE-2023-30544
epss 0.0015 https://api.first.org/data/v1/epss?cve=CVE-2023-30544
epss 0.0015 https://api.first.org/data/v1/epss?cve=CVE-2023-30544
cvssv3.1_qr LOW https://github.com/advisories/GHSA-7x6q-3v3m-cwjg
cvssv3.1 0.0 https://github.com/kiwitcms/Kiwi
generic_textual LOW https://github.com/kiwitcms/Kiwi
cvssv3.1 0.0 https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
cvssv3.1 3.9 https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
cvssv3.1_qr LOW https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
generic_textual LOW https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
ssvc Track https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
cvssv3.1 0.0 https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85
generic_textual LOW https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85
cvssv3.1 3.9 https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/
ssvc Track https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/
cvssv3.1 0.0 https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122
generic_textual LOW https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122
cvssv3.1 3.9 https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
ssvc Track https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
cvssv3.1 0.0 https://nvd.nist.gov/vuln/detail/CVE-2023-30544
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2023-30544
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-30544
https://github.com/kiwitcms/Kiwi
https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85
https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/
https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122
https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
CVE-2023-30544 https://nvd.nist.gov/vuln/detail/CVE-2023-30544
GHSA-7x6q-3v3m-cwjg https://github.com/advisories/GHSA-7x6q-3v3m-cwjg
GHSA-7x6q-3v3m-cwjg https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N Found at https://github.com/kiwitcms/Kiwi
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-04T18:46:19Z/ Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N Found at https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-04T18:46:19Z/ Found at https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N Found at https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-04T18:46:19Z/ Found at https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-30544
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.3532
EPSS Score 0.0015
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:44:39.354109+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/kiwitcms/CVE-2023-30544.yml 38.6.0