CVE-2023-30544 LOW

CVE-2023-30544: Kiwi TCMS may allow user to update email address to unverified one

Vendor Kiwitcms
Product Kiwi
Weakness CWE-283
Published April 24, 2023
Last update February 4, 2025
View on NVD All CVEs

CVSS base score

3.9/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist.

Key dates

02Disclosure timeline

April 24, 2023 CVE published
February 4, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-0598 Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api CVE-2026-40337 Sentry kernel has incomplete ownership check for IRQ line manipulation CVE-2025-47940 TYPO3 CMS Vulnerable to Privilege Escalation to System Maintainer CVE-2021-24500 Workreap theme < 2.2.2 - Multiple CSRF + IDOR Vulnerabilities CVE-2020-8554 Kubernetes man in the middle using LoadBalancer or ExternalIPs