Moderate severityNVD Advisory· Published Jul 27, 2023· Updated Oct 22, 2024
Kirby vulnerable to denial of service from unlimited password lengths
CVE-2023-38492
Description
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities.
Kirby's authentication endpoint did not limit the password length. This allowed attackers to provide a password with a length up to the server's maximum request body length. Validating that password against the user's actual password requires hashing the provided password, which requires more CPU and memory resources (and therefore processing time) the longer the provided password gets. This could be abused by an attacker to cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force protection, the impact of this vulnerability is limited to 10 failed logins from each IP address and 10 failed logins for each existing user per hour.
The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have added password length limits in the affected code so that passwords longer than 1000 bytes are immediately blocked, both when setting a password and when logging in.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
getkirby/cmsPackagist | < 3.5.8.3 | 3.5.8.3 |
getkirby/cmsPackagist | >= 3.6.0, < 3.6.6.3 | 3.6.6.3 |
getkirby/cmsPackagist | >= 3.7.0, < 3.7.5.2 | 3.7.5.2 |
getkirby/cmsPackagist | >= 3.8.0, < 3.8.4.1 | 3.8.4.1 |
getkirby/cmsPackagist | >= 3.9.0, < 3.9.6 | 3.9.6 |
Affected products
1Patches
10e10ce3b0c2bFix password length vulnerability
33 files changed · +66 −1
i18n/translations/bg.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Моля въведете валиден email адрес", "error.user.language.invalid": "Моля въведете валиден език", "error.user.notFound": "\u041f\u043e\u0442\u0440\u0435\u0431\u0438\u0442\u0435\u043b\u044f\u0442 \u043d\u0435 \u043c\u043e\u0436\u0435 \u0434\u0430 \u0431\u044a\u0434\u0435 \u043d\u0430\u043c\u0435\u0440\u0435\u043d.", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Моля въведете валидна парола. Тя трабва да съдържа поне 8 символа.", "error.user.password.notSame": "\u041c\u043e\u043b\u044f, \u043f\u043e\u0442\u0432\u044a\u0440\u0434\u0435\u0442\u0435 \u043f\u0430\u0440\u043e\u043b\u0430\u0442\u0430", "error.user.password.undefined": "Потребителят няма парола",
i18n/translations/ca.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Si us plau, introdueix una adreça de correu electrònic vàlida", "error.user.language.invalid": "Introduïu un idioma vàlid", "error.user.notFound": "L'usuari \"{name}\" no s'ha trobat", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Introduïu una contrasenya vàlida. Les contrasenyes han de tenir com a mínim 8 caràcters.", "error.user.password.notSame": "Les contrasenyes no coincideixen", "error.user.password.undefined": "L'usuari no té una contrasenya",
i18n/translations/cs.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Zadejte prosím platnou emailovou adresu", "error.user.language.invalid": "Zadejte prosím platný jazyk", "error.user.notFound": "U\u017eivatele se nepoda\u0159ilo nal\u00e9zt", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Zadejte prosím platné heslo. Heslo musí být dlouhé alespoň 8 znaků.", "error.user.password.notSame": "Pros\u00edm potvr\u010fte heslo", "error.user.password.undefined": "Uživatel nemá nastavené heslo.",
i18n/translations/da.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Indtast venligst en gyldig email adresse", "error.user.language.invalid": "Indtast venligst et gyldigt sprog", "error.user.notFound": "Brugeren kunne ikke findes", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Indtast venligst en gyldig adgangskode. Adgangskoder skal minimum være 8 tegn lange.", "error.user.password.notSame": "Bekr\u00e6ft venligst adgangskoden", "error.user.password.undefined": "Brugeren har ikke en adgangskode",
i18n/translations/de.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Bitte gib eine gültige E-Mailadresse an", "error.user.language.invalid": "Bitte gib eine gültige Sprache an", "error.user.notFound": "Der Account \"{name}\" wurde nicht gefunden", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Bitte gib ein gültiges Passwort ein. Passwörter müssen mindestens 8 Zeichen lang sein.", "error.user.password.notSame": "Die Passwörter stimmen nicht überein", "error.user.password.undefined": "Der Account hat kein Passwort",
i18n/translations/el.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Παρακαλώ εισάγετε μια έγκυρη διεύθυνση ηλεκτρονικού ταχυδρομείου", "error.user.language.invalid": "Παρακαλώ εισαγάγετε μια έγκυρη γλώσσα", "error.user.notFound": "Δεν είναι δυνατή η εύρεση του χρήστη \"{name}\"", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Παρακαλώ εισάγετε έναν έγκυρο κωδικό πρόσβασης. Οι κωδικοί πρόσβασης πρέπει να έχουν μήκος τουλάχιστον 8 χαρακτήρων.", "error.user.password.notSame": "\u03a0\u03b1\u03c1\u03b1\u03ba\u03b1\u03bb\u03bf\u03cd\u03bc\u03b5 \u03b5\u03c0\u03b9\u03b2\u03b5\u03b2\u03b1\u03b9\u03ce\u03c3\u03c4\u03b5 \u03c4\u03bf\u03bd \u039a\u03c9\u03b4\u03b9\u03ba\u03cc \u03a0\u03c1\u03cc\u03c3\u03b2\u03b1\u03c3\u03b7\u03c2", "error.user.password.undefined": "Ο χρήστης δεν έχει κωδικό πρόσβασης",
i18n/translations/en.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Please enter a valid email address", "error.user.language.invalid": "Please enter a valid language", "error.user.notFound": "The user \"{name}\" cannot be found", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Please enter a valid password. Passwords must be at least 8 characters long.", "error.user.password.notSame": "The passwords do not match", "error.user.password.undefined": "The user does not have a password",
i18n/translations/eo.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Bonvolu entajpi validan retpoŝtadreson", "error.user.language.invalid": "Bonvolu entajpi validan lingvon", "error.user.notFound": "La uzanto \"{name}\" ne troveblas", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Bonvolu entajpi validan pasvorton. Pasvortoj devas esti almenaŭ 8 literojn longaj.", "error.user.password.notSame": "La pasvortoj ne estas kongruantaj", "error.user.password.undefined": "La uzanto ne havas pasvorton",
i18n/translations/es_419.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Por favor ingresa un correo electrónico valido", "error.user.language.invalid": "Por favor ingresa un idioma valido", "error.user.notFound": "El usuario no pudo ser encontrado", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Por favor ingresa una contraseña valida. Las contraseñas deben tener al menos 8 caracteres de largo.", "error.user.password.notSame": "Por favor confirma la contrase\u00f1a", "error.user.password.undefined": "El usuario no tiene contraseña",
i18n/translations/es_ES.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Por favor, introduce una dirección de correo electrónico válida", "error.user.language.invalid": "Por favor, introduce un idioma válido", "error.user.notFound": "No se puede encontrar el usuario \"{name}\"", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Por favor, introduce una contraseña válida. Las contraseñas deben tener al menos 8 caracteres de largo.", "error.user.password.notSame": "Las contraseñas no coinciden", "error.user.password.undefined": "El usuario no tiene contraseña",
i18n/translations/fa.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "لطفا یک ایمیل معتبر وارد کنید", "error.user.language.invalid": "لطفا زبان معتبری انتخاب کنید", "error.user.notFound": "کاربر «{name}» پیدا نشد", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "لطفا گذرواژه صحیحی با حداقل طول 8 حرف وارد کنید. ", "error.user.password.notSame": "\u0644\u0637\u0641\u0627 \u062a\u06a9\u0631\u0627\u0631 \u06af\u0630\u0631\u0648\u0627\u0698\u0647 \u0631\u0627 \u0648\u0627\u0631\u062f \u0646\u0645\u0627\u06cc\u06cc\u062f", "error.user.password.undefined": "کاربر فاقد گذرواژه است",
i18n/translations/fi.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Anna kelpaava sähköpostiosoite", "error.user.language.invalid": "Anna kelpaava kieli", "error.user.notFound": "K\u00e4ytt\u00e4j\u00e4\u00e4 ei l\u00f6ytynyt", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Anna kelpaava salasana. Salasanan täytyy olla ainakin 8 merkkiä pitkä.", "error.user.password.notSame": "Salasanat eivät täsmää", "error.user.password.undefined": "Käyttäjällä ei ole salasanaa",
i18n/translations/fr.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Veuillez saisir un courriel valide", "error.user.language.invalid": "Veuillez saisir une langue valide", "error.user.notFound": "L’utilisateur « {name} » n’a pu être trouvé", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Veuillez saisir un mot de passe valide. Les mots de passe doivent comporter au moins 8 caractères.", "error.user.password.notSame": "Les mots de passe ne sont pas identiques", "error.user.password.undefined": "Cet utilisateur n’a pas de mot de passe",
i18n/translations/hu.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Kérlek adj meg egy valós email-címet", "error.user.language.invalid": "Kérlek add meg a megfelelő nyelvi beállítást", "error.user.notFound": "A felhaszn\u00e1l\u00f3 nem tal\u00e1lhat\u00f3", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Kérlek adj meg egy megfelelő jelszót. A jelszónak legalább 8 karakter hosszúságúnak kell lennie.", "error.user.password.notSame": "K\u00e9rlek er\u0151s\u00edtsd meg a jelsz\u00f3t", "error.user.password.undefined": "A felhasználónak nincs jelszó megadva",
i18n/translations/id.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Masukkan surel yang valid", "error.user.language.invalid": "Masukkan bahasa yang valid", "error.user.notFound": "Pengguna \"{name}\" tidak dapat ditemukan", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Masukkan sandi yang valid. Sandi setidaknya mengandung 8 karakter.", "error.user.password.notSame": "Sandi tidak cocok", "error.user.password.undefined": "Pengguna tidak memiliki sandi",
i18n/translations/is_IS.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Vinsamlegast ákjósanlegt netfang", "error.user.language.invalid": "Vinsamlegast ákjósanlegt tungumál", "error.user.notFound": "Þessi notandi; \"{name}\" fannst ekki", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Veldu ákjósanlegt lykilorð. Minnst 8 stafa langt.", "error.user.password.notSame": "Lykilorðin stemma ekki", "error.user.password.undefined": "Þessi notandi hefur ekki lykilorð",
i18n/translations/it.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Inserisci un indirizzo email valido", "error.user.language.invalid": "Inserisci una lingua valida", "error.user.notFound": "L'utente non \u00e8 stato trovato", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Per favore inserisci una password valida. Le password devono essere lunghe almeno 8 caratteri", "error.user.password.notSame": "Le password non corrispondono", "error.user.password.undefined": "L'utente non ha una password",
i18n/translations/ko.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "올바른 이메일 주소를 입력하세요.", "error.user.language.invalid": "올바른 언어를 입력하세요.", "error.user.notFound": "사용자({name})가 없습니다.", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "암호를 8자 이상으로 설정하세요.", "error.user.password.notSame": "\uc554\ud638\ub97c \ud655\uc778\ud558\uc138\uc694.", "error.user.password.undefined": "암호가 설정되지 않았습니다.",
i18n/translations/lt.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Įrašykite teisingą el. pašto adresą", "error.user.language.invalid": "Įrašykite teisingą kalbą", "error.user.notFound": "Vartotojas \"{name}\" nerastas", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Prašome įrašyti galiojantį slaptažodį. Slaptažodį turi sudaryti bent 8 simboliai.", "error.user.password.notSame": "Slaptažodžiai nesutampa", "error.user.password.undefined": "Vartotojas neturi slaptažodžio",
i18n/translations/nb.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Vennligst skriv inn en gyldig e-postadresse", "error.user.language.invalid": "Vennligst skriv inn et gyldig språk", "error.user.notFound": "Brukeren kunne ikke bli funnet", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Vennligst skriv inn et gyldig passord. Passordet må minst være 8 tegn langt.", "error.user.password.notSame": "Vennligst bekreft passordet", "error.user.password.undefined": "Brukeren har ikke et passord",
i18n/translations/nl.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Gelieve een geldig emailadres in te voeren", "error.user.language.invalid": "Gelieve een geldige taal in te voeren", "error.user.notFound": "De gebruiker \"{name}\" kan niet worden gevonden", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Gelieve een geldig wachtwoord in te voeren. Wachtwoorden moeten minstens 8 karakters lang zijn.", "error.user.password.notSame": "De wachtwoorden komen niet overeen", "error.user.password.undefined": "De gebruiker heeft geen wachtwoord",
i18n/translations/pl.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Wprowadź poprawny adres email", "error.user.language.invalid": "Proszę podać poprawny język", "error.user.notFound": "Nie można znaleźć użytkownika \"{name}\"", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Wprowadź prawidłowe hasło. Hasła muszą mieć co najmniej 8 znaków.", "error.user.password.notSame": "Hasła nie są takie same", "error.user.password.undefined": "Użytkownik nie ma hasła",
i18n/translations/pt_BR.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Digite um endereço de email válido", "error.user.language.invalid": "Digite um idioma válido", "error.user.notFound": "Usuário \"{name}\" não encontrado", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Digite uma senha válida. Sua senha deve ter pelo menos 8 caracteres.", "error.user.password.notSame": "As senhas não combinam", "error.user.password.undefined": "O usuário não possui uma senha",
i18n/translations/pt_PT.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Digite um endereço de email válido", "error.user.language.invalid": "Digite um idioma válido", "error.user.notFound": "Utilizador \"{name}\" não encontrado", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Digite uma palavra-passe válida. A sua palavra-passe deve ter pelo menos 8 caracteres.", "error.user.password.notSame": "As palavras-passe não combinam", "error.user.password.undefined": "O utilizador não possui uma palavra-passe",
i18n/translations/ro.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Te rog introdu o adresă de e-mail validă", "error.user.language.invalid": "Te rog introdu o limbă validă", "error.user.notFound": "Utilizatorul \"{name}\" nu a fost găsit", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Te rog introdu o parolă validă. Parola trebuie să aibă cel puțin 8 caractere.", "error.user.password.notSame": "Parolele nu se potrivesc", "error.user.password.undefined": "Utilizatorul nu are parolă",
i18n/translations/ru.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Пожалуйста, введите правильный адрес эл. почты", "error.user.language.invalid": "Введите правильный язык", "error.user.notFound": "Пользователь \"{name}\" не найден", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Пожалуйста, введите правильный пароль. Он должен состоять минимум из 8 символов.", "error.user.password.notSame": "\u041f\u043e\u0436\u0430\u043b\u0443\u0439\u0441\u0442\u0430, \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u0442\u0435 \u043f\u0430\u0440\u043e\u043b\u044c", "error.user.password.undefined": "У пользователя нет пароля",
i18n/translations/sk.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Prosím, zadajte platnú e-mailovú adresu", "error.user.language.invalid": "Prosím, zadajte platný jazyk", "error.user.notFound": "Užívateľa \"{name}\" nie je možné nájsť", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Prosím, zadajte platné heslo. Dĺžka hesla musí byť aspoň 8 znakov.", "error.user.password.notSame": "Heslá nie sú rovnaké", "error.user.password.undefined": "Užívateľ nemá heslo",
i18n/translations/sv_SE.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Ange en giltig e-postadress", "error.user.language.invalid": "Ange ett giltigt språk", "error.user.notFound": "Användaren \"{name}\" kan ej hittas", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Ange ett giltigt lösenord. Lösenordet måste vara minst 8 tecken långt.", "error.user.password.notSame": "Lösenorden matchar inte", "error.user.password.undefined": "Användaren har inget lösenord",
i18n/translations/tr.json+1 −0 modified@@ -183,6 +183,7 @@ "error.user.email.invalid": "Lütfen geçerli bir e-posta adresi girin", "error.user.language.invalid": "Lütfen geçerli bir dil girin", "error.user.notFound": "\"{name}\" kullanıcısı bulunamadı", + "error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.", "error.user.password.invalid": "Lütfen geçerli bir şifre giriniz. Şifreler en az 8 karakter uzunluğunda olmalıdır.", "error.user.password.notSame": "L\u00fctfen \u015fifreyi do\u011frulay\u0131n", "error.user.password.undefined": "Bu kullanıcının şifresi yok",
src/Cms/User.php+7 −0 modified@@ -864,10 +864,17 @@ public function validatePassword( throw new NotFoundException(['key' => 'user.password.undefined']); } + // `UserRules` enforces a minimum length of 8 characters, + // so everything below that is a typo if (Str::length($password) < 8) { throw new InvalidArgumentException(['key' => 'user.password.invalid']); } + // too long passwords can cause DoS attacks + if (Str::length($password) > 1000) { + throw new InvalidArgumentException(['key' => 'user.password.excessive']); + } + if (password_verify($password, $this->password()) !== true) { throw new InvalidArgumentException(['key' => 'user.password.wrong', 'httpCode' => 401]); }
src/Cms/UserRules.php+11 −0 modified@@ -341,12 +341,23 @@ public static function validPassword( #[SensitiveParameter] string $password ): bool { + // too short passwords are ineffective if (Str::length($password ?? null) < 8) { throw new InvalidArgumentException([ 'key' => 'user.password.invalid', ]); } + // too long passwords can cause DoS attacks + // and are therefore blocked in the auth system + // (blocked here as well to avoid passwords + // that cannot be used to log in) + if (Str::length($password ?? null) > 1000) { + throw new InvalidArgumentException([ + 'key' => 'user.password.excessive', + ]); + } + return true; }
tests/Cms/Users/UserRulesTest.php+1 −0 modified@@ -57,6 +57,7 @@ public function invalidDataProvider() ['Email', 'domain.com', 'Please enter a valid email address'], ['Language', 'english', 'Please enter a valid language'], ['Password', '1234', 'Please enter a valid password. Passwords must be at least 8 characters long.'], + ['Password', str_repeat('1234', 300), 'Please enter a valid password. Passwords must not be longer than 1000 characters.'], ['Role', 'rockstar', 'Please enter a valid role'] ]; }
tests/Cms/Users/UserTest.php+18 −1 modified@@ -199,6 +199,7 @@ public function passwordProvider() [null, false], ['', false], ['short', false], + [str_repeat('long', 300), false], ['invalid-password', false], ['correct-horse-battery-staple', true], ]; @@ -234,18 +235,34 @@ public function testValidatePasswordHttpCode() try { $user->validatePassword('short'); } catch (\Kirby\Exception\InvalidArgumentException $e) { + $this->assertSame( + 'Please enter a valid password. Passwords must be at least 8 characters long.', + $e->getMessage() + ); + $this->assertSame(400, $e->getHttpCode()); + $caught++; + } + + try { + $user->validatePassword(str_repeat('long', 300)); + } catch (\Kirby\Exception\InvalidArgumentException $e) { + $this->assertSame( + 'Please enter a valid password. Passwords must not be longer than 1000 characters.', + $e->getMessage() + ); $this->assertSame(400, $e->getHttpCode()); $caught++; } try { $user->validatePassword('longbutinvalid'); } catch (\Kirby\Exception\InvalidArgumentException $e) { + $this->assertSame('Wrong password', $e->getMessage()); $this->assertSame(401, $e->getHttpCode()); $caught++; } - $this->assertSame(2, $caught); + $this->assertSame(3, $caught); } public function testValidateUndefinedPassword()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-3v6j-v3qc-cxffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38492ghsaADVISORY
- github.com/getkirby/kirby/commit/0e10ce3b0c2b88656564b8ff518ddc99136ac43eghsax_refsource_MISCWEB
- github.com/getkirby/kirby/releases/tag/3.5.8.3ghsax_refsource_MISCWEB
- github.com/getkirby/kirby/releases/tag/3.6.6.3ghsax_refsource_MISCWEB
- github.com/getkirby/kirby/releases/tag/3.7.5.2ghsax_refsource_MISCWEB
- github.com/getkirby/kirby/releases/tag/3.8.4.1ghsax_refsource_MISCWEB
- github.com/getkirby/kirby/releases/tag/3.9.6ghsax_refsource_MISCWEB
- github.com/getkirby/kirby/security/advisories/GHSA-3v6j-v3qc-cxffghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.