3.5.8.2
π¨ Security release
User enumeration in the code-based login and password reset forms
Severity: medium (CVSS score 4.8)
Errors that occur during the processing of the code-based login and password reset were in some cases passed to the user. This includes errors of the code challenge itself (e.g. if the email could not be sent) and errors thrown inside the user.login:failed
hook.
This vulnerability allowed user enumeration, which is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.
This vulnerability only affects you if you are using the code
or password-reset
auth method with the auth.methods
option. It can only be successfully exploited under server configuration conditions outside of the attacker's control.
Thanks to Florian Merz (@florianmrz) of hatchery.io for responsibly reporting the identified issue.
User enumeration in the brute force protection
Severity: medium (CVSS score 6.5)
We used the opportunity to review other parts of Kirby's authentication handling and found another part that is affected by a similar user enumeration vulnerability caused by a response discrepancy in Kirby's brute force protection system.
This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.