Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-te8g-xmba-57a3
Vulnerability ID VCID-te8g-xmba-57a3
Aliases CVE-2023-25156
GHSA-7968-h4m4-ghm9
Summary Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and configure a rate-limiting proxy in front of Kiwi TCMS.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-307 Improper Restriction of Excessive Authentication Attempts
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00744 https://api.first.org/data/v1/epss?cve=CVE-2023-25156
epss 0.00744 https://api.first.org/data/v1/epss?cve=CVE-2023-25156
epss 0.00744 https://api.first.org/data/v1/epss?cve=CVE-2023-25156
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-7968-h4m4-ghm9
cvssv3.1 7.5 https://github.com/kiwitcms/Kiwi
generic_textual HIGH https://github.com/kiwitcms/Kiwi
cvssv3.1 7.5 https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
generic_textual HIGH https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
ssvc Track https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
cvssv3.1 7.5 https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
cvssv3.1_qr HIGH https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
generic_textual HIGH https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
ssvc Track https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
cvssv3.1 7.5 https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795
generic_textual HIGH https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795
cvssv3.1 7.5 https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
ssvc Track https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
cvssv3.1 7.5 https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120
generic_textual HIGH https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120
cvssv3.1 7.5 https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
ssvc Track https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-25156
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-25156
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-25156
https://github.com/kiwitcms/Kiwi
https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795
https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120
https://nvd.nist.gov/vuln/detail/CVE-2023-25156
0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
2b1a9be9-45e9-490b-8de0-26a492e79795 https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
GHSA-7968-h4m4-ghm9 https://github.com/advisories/GHSA-7968-h4m4-ghm9
GHSA-7968-h4m4-ghm9 https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
kiwi-tcms-120 https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/kiwitcms/Kiwi
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:35Z/ Found at https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:35Z/ Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:35Z/ Found at https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:35Z/ Found at https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-25156
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.73472
EPSS Score 0.00744
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:19:57.593264+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/25xxx/CVE-2023-25156.json 38.6.0