CVE-2022-39314: 
PHP vulnerability analysis and mitigation

Kirby, a flat-file CMS, was found to be vulnerable to user enumeration in versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1. The vulnerability was discovered and disclosed on October 18, 2022, affecting the code-based login and password reset forms when using the auth.methods option (GitHub Advisory).

The vulnerability stems from improper error handling during the creation of code challenges for code-based login or password reset functionality. When errors occurred during challenge processing or within the user.login:failed hook, attackers could differentiate between existing and non-existing users based on the system's response. The vulnerability was assigned a CVSS v3.1 score of 4.8 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (GitHub Advisory).

This vulnerability could allow attackers to confirm which users are registered in a Kirby installation. The exposed information could be exploited for social engineering attacks against users or to discover the organizational structure of the company using the CMS (GitHub Advisory).

The vulnerability was patched in versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1. The patches include swallowing errors during auth challenge creation and introducing a new auth.debug option. As a temporary workaround, users can set the auth.methods option to password to disable the code-based login and password reset forms (GitHub Advisory).