CVE-2023-25171

Name: CVE-2023-25171
Creator: NVD / NIST
Published: 2023-02-15T15:15:11.653+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.9/10EPSS 0.91%

Last modified Jun 17, 2026

CVE-2023-25171 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. EPSS estimates a 0.91% chance of exploitation in the next 30 days.

Description

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may strain SMTP resources. Users should upgrade to v12.0 or later to receive a patch. As potential workarounds, users may install and configure a rate-limiting proxy in front of Kiwi TCMS and/or configure rate limits on their email server when possible.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.91%

55.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Kiwitcms	Kiwi Tcms	< 12.0

References

https://github.com/kiwitcms/Kiwi/commit/761305d04f5910ba14cc04d1255a8f1afdbb87f3Patch
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7j9h-3jxf-3vrfVendor Advisory
https://huntr.dev/bounties/3b712cb6-3fa3-4f71-8562-7a7016c6262ePermissions Required
https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/Release Notes
https://github.com/kiwitcms/Kiwi/commit/761305d04f5910ba14cc04d1255a8f1afdbb87f3Patch
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7j9h-3jxf-3vrfVendor Advisory
https://huntr.dev/bounties/3b712cb6-3fa3-4f71-8562-7a7016c6262ePermissions Required
https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/Release Notes

Timeline

Published: Feb 15, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-25171?

How severe is CVE-2023-25171?

CVE-2023-25171 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.91% probability of exploitation in the next 30 days.

How do I fix CVE-2023-25171?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-25171?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST