{"vulnerability": "CVE-2023-2245", "sightings": [{"uuid": "ad1ea6d4-5642-4630-9008-68d79b4abdfa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22458", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/3749", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2023\n\u63cf\u8ff0\uff1aPowerShell POC for CVE-2023-24055\nURL\uff1ahttps://github.com/Live-Hack-CVE/CVE-2023-22458\n\n\u6807\u7b7e\uff1a#CVE-2023", "creation_timestamp": "2023-02-02T16:20:51.000000Z"}, {"uuid": "abcb4769-f0f1-4b89-acaf-37b2fa8833e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22451", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/7054", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-22451\n\ud83d\udd25 CVSS Score: 6.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\n\ud83d\udd39 Description: Kiwi TCMS is an open source test management system. In version 11.6 and prior, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the `AUTH_PASSWORD_VALIDATORS` configuration setting. As of version 11.7, the password can\u2019t be too similar to other personal information, must contain at least 10 characters, can\u2019t be a commonly used password, and can\u2019t be entirely numeric. As a workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen. \n\ud83d\udccf Published: 2023-01-02T15:56:43.003Z\n\ud83d\udccf Modified: 2025-03-10T21:33:43.162Z\n\ud83d\udd17 References:\n1. https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-496x-2jqf-hp7g\n2. https://github.com/kiwitcms/Kiwi/commit/3759fb68aed36315cdde9fc573b2fe7c11544985\n3. https://huntr.dev/bounties/32a873c8-f605-4aae-9272-d80985ef2b73", "creation_timestamp": "2025-03-10T21:39:03.000000Z"}, {"uuid": "1a201896-45bb-4fe3-adf4-176f25ffc6df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-2245", "type": "seen", "source": "Telegram/OJ5hxCuQcTYgFnLUcNgF34koHvad2IPOs_Qtn9Y_Rbu3dHcq", "content": "", "creation_timestamp": "2025-02-06T02:41:38.000000Z"}, {"uuid": "3da8ad93-70b1-47d1-a529-e7da2259a8e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-2245", "type": "published-proof-of-concept", "source": "Telegram/tROXu-VoDvIGOcLcpszl-EBZ8Ot5WUMl6WIZHqWkyLe8WA0", "content": "", "creation_timestamp": "2025-02-05T10:00:06.000000Z"}, {"uuid": "b97d2f87-472e-49fa-8838-9bc926438aa6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22450", "type": "seen", "source": "https://t.me/cibsecurity/64995", "content": "\u203c CVE-2023-22450 \u203c\n\nIn Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-06-06T07:29:03.000000Z"}, {"uuid": "d55c1cb7-08fb-480a-b055-b5bfb0ec4609", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22455", "type": "seen", "source": "https://t.me/cibsecurity/56020", "content": "\u203c CVE-2023-22455 \u203c\n\nDiscourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, tag descriptions, which can be updated by moderators, can be used for cross-site scripting attacks. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse\u00e2\u20ac\u2122s default Content Security Policy. Versions 2.8.14 and 3.0.0.beta16 contain a patch.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-06T00:19:25.000000Z"}, {"uuid": "ee4952b1-4a95-4dcf-a069-b4d27c9b4d82", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22454", "type": "seen", "source": "https://t.me/cibsecurity/56006", "content": "\u203c CVE-2023-22454 \u203c\n\nDiscourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, pending post titles can be used for cross-site scripting attacks. Pending posts can be created by unprivileged users when a category has the \"require moderator approval of all new topics\" setting set. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse\u00e2\u20ac\u2122s default Content Security Policy. A patch is available in versions 2.8.14 and 3.0.0.beta16.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-05T22:19:19.000000Z"}, {"uuid": "499b07cb-c072-486f-b995-4b3e46ab130d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22457", "type": "seen", "source": "https://t.me/cibsecurity/55892", "content": "\u203c CVE-2023-22457 \u203c\n\nCKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. There are no known workarounds for this other than upgrading the CKEditor integration to a fixed version.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-04T18:18:11.000000Z"}, {"uuid": "ba23703f-54f5-46fa-b509-581274c3b352", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22452", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/3658", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2023\n\u63cf\u8ff0\uff1a\u514d\u6740\uff0c\u7ea2\u961f\uff0c\u84dd\u961f\uff0c\u9632\u5b88\nURL\uff1ahttps://github.com/Live-Hack-CVE/CVE-2023-22452\n\n\u6807\u7b7e\uff1a#CVE-2023", "creation_timestamp": "2023-01-03T11:04:32.000000Z"}, {"uuid": "85d39984-cce9-40f3-9591-cae634591519", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22456", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/3661", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2023\n\u63cf\u8ff0\uff1a\u514d\u6740\uff0c\u7ea2\u961f\uff0c\u84dd\u961f\uff0c\u9632\u5b88\nURL\uff1ahttps://github.com/Live-Hack-CVE/CVE-2023-22456\n\n\u6807\u7b7e\uff1a#CVE-2023", "creation_timestamp": "2023-01-04T01:43:03.000000Z"}, {"uuid": "fee4ddd9-594f-4f96-9f85-b7ecf9749bfd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22456", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/7058", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-22456\n\ud83d\udd25 CVSS Score: 6.1 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\ud83d\udd39 Description: ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format \"html\"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)\n\ud83d\udccf Published: 2023-01-03T18:29:51.262Z\n\ud83d\udccf Modified: 2025-03-10T21:33:20.040Z\n\ud83d\udd17 References:\n1. https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g\n2. https://github.com/viewvc/viewvc/issues/311\n3. https://github.com/viewvc/viewvc/releases/tag/1.1.29\n4. https://github.com/viewvc/viewvc/releases/tag/1.2.2", "creation_timestamp": "2025-03-10T21:39:07.000000Z"}, {"uuid": "eb212b4b-2cc7-43f8-9f20-443ee2848aa8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22457", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/7060", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-22457\n\ud83d\udd25 CVSS Score: 9.1 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)\n\ud83d\udd39 Description: CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. There are no known workarounds for this other than upgrading the CKEditor integration to a fixed version.\n\ud83d\udccf Published: 2023-01-04T14:24:39.871Z\n\ud83d\udccf Modified: 2025-03-10T21:33:09.143Z\n\ud83d\udd17 References:\n1. https://github.com/xwiki-contrib/application-ckeditor/security/advisories/GHSA-6mjp-2rm6-9g85\n2. https://github.com/xwiki-contrib/application-ckeditor/commit/6b1053164386aefc526df7512bc664918aa6849b\n3. https://jira.xwiki.org/browse/CKEDITOR-475", "creation_timestamp": "2025-03-10T21:39:12.000000Z"}, {"uuid": "dac9d4b2-73ad-4e3f-a85f-f949ddb6eb69", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22453", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/7072", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-22453\n\ud83d\udd25 CVSS Score: 5.3 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\ud83d\udd39 Description: Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, the number of times a user posted in an arbitrary topic is exposed to unauthorized users through the `/u/username.json` endpoint. The issue is patched in version 2.8.14 and 3.0.0.beta16. There is no known workaround.\n\ud83d\udccf Published: 2023-01-05T19:53:34.180Z\n\ud83d\udccf Modified: 2025-03-10T21:31:52.286Z\n\ud83d\udd17 References:\n1. https://github.com/discourse/discourse/security/advisories/GHSA-xx97-6494-p2rv\n2. https://github.com/discourse/discourse/commit/cbcf8a064b4889a19c991641e09c399bfa1ef2ad", "creation_timestamp": "2025-03-10T21:39:29.000000Z"}, {"uuid": "25852001-4489-4b3b-8a2a-b1a14192fcd0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22452", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/7055", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-22452\n\ud83d\udd25 CVSS Score: 6.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)\n\ud83d\udd39 Description: kenny2automate is a Discord bot. In the web interface for server settings, form elements were generated with Discord channel IDs as part of input names. Prior to commit a947d7c, no validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. Thus anyone who has access to the channel ID they wish to change settings for and the server settings panel for any server could change settings for the requested channel no matter which server it belonged to. Commit a947d7c resolves the issue and has been deployed to the official instance of the bot. The only workaround that exists is to disable the web config entirely by changing it to run on localhost. Note that a workaround is only necessary for those who run their own instance of the bot.\n\ud83d\udccf Published: 2023-01-02T19:17:59.571Z\n\ud83d\udccf Modified: 2025-03-10T21:33:37.198Z\n\ud83d\udd17 References:\n1. https://github.com/Kenny2github/kenny2automate/security/advisories/GHSA-73j8-xrcr-q6j7\n2. https://github.com/Kenny2github/kenny2automate/commit/a947d7ce408687b587c7e6dfd6026f7c4ee31ac2", "creation_timestamp": "2025-03-10T21:39:04.000000Z"}, {"uuid": "c9c3570e-eeed-4e86-be27-a264a4451bd8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22454", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/7073", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-22454\n\ud83d\udd25 CVSS Score: 8 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)\n\ud83d\udd39 Description: Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, pending post titles can be used for cross-site scripting attacks. Pending posts can be created by unprivileged users when a category has the \"require moderator approval of all new topics\" setting set. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse\u2019s default Content Security Policy. A patch is available in versions 2.8.14 and 3.0.0.beta16.\n\ud83d\udccf Published: 2023-01-05T19:58:36.355Z\n\ud83d\udccf Modified: 2025-03-10T21:31:46.858Z\n\ud83d\udd17 References:\n1. https://github.com/discourse/discourse/security/advisories/GHSA-ggq4-4qxc-c462\n2. https://github.com/discourse/discourse/commit/c0e2d7badac276d82a4056a994b48d68a8993a12", "creation_timestamp": "2025-03-10T21:39:30.000000Z"}, {"uuid": "9b1e2eb7-29e0-447e-8e0f-3c323ad319f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-2245", "type": "seen", "source": "https://t.me/cibsecurity/62664", "content": "\u203c CVE-2023-2245 \u203c\n\nA vulnerability was found in hansunCMS 1.4.3. It has been declared as critical. This vulnerability affects unknown code of the file /ueditor/net/controller.ashx?action=catchimage. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-227230 is the identifier assigned to this vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-22T20:32:48.000000Z"}, {"uuid": "1d812dea-3c59-476a-bbf1-ca1763c8b006", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22453", "type": "seen", "source": "https://t.me/cibsecurity/56002", "content": "\u203c CVE-2023-22453 \u203c\n\nDiscourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, the number of times a user posted in an arbitrary topic is exposed to unauthorized users through the `/u/username.json` endpoint. The issue is patched in version 2.8.14 and 3.0.0.beta16. There is no known workaround.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-05T22:19:15.000000Z"}, {"uuid": "be934f19-a9fe-4864-8d5a-cfa6232b5785", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22456", "type": "seen", "source": "https://t.me/cibsecurity/55822", "content": "\u203c CVE-2023-22456 \u203c\n\nViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format \"html\"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-03T22:17:23.000000Z"}, {"uuid": "ef0f5980-fa8b-47c4-ab97-086f6f283301", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22452", "type": "seen", "source": "https://t.me/cibsecurity/55745", "content": "\u203c CVE-2023-22452 \u203c\n\nkenny2automate is a Discord bot. In the web interface for server settings, form elements were generated with Discord channel IDs as part of input names. Prior to commit a947d7c, no validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. Thus anyone who has access to the channel ID they wish to change settings for and the server settings panel for any server could change settings for the requested channel no matter which server it belonged to. Commit a947d7c resolves the issue and has been deployed to the official instance of the bot. The only workaround that exists is to disable the web config entirely by changing it to run on localhost. Note that a workaround is only necessary for those who run their own instance of the bot.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-02T22:30:21.000000Z"}, {"uuid": "aa1db5c3-b761-4503-b39d-5040da6a72eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-22451", "type": "seen", "source": "https://t.me/cibsecurity/55741", "content": "\u203c CVE-2023-22451 \u203c\n\nKiwi TCMS is an open source test management system. In version 11.6 and prior, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the `AUTH_PASSWORD_VALIDATORS` configuration setting. As of version 11.7, the password can\u00e2\u20ac\u2122t be too similar to other personal information, must contain at least 10 characters, can\u00e2\u20ac\u2122t be a commonly used password, and can\u00e2\u20ac\u2122t be entirely numeric. As a workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-02T18:30:26.000000Z"}]}