CVE-2023-30544 — kiwi TCMS has possibility for user to update email address to unverified one

Description

### Impact In previous versions of Kiwi TCMS users were able to update their email addresses via the "My profile" admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. ### Patches With Kiwi TCMS v12.2 or later it is not possible to edit the email field associated with a user account! ### Workarounds No workaround exists. ### References Disclosed by [@novemberdad](https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/).

How to fix CVE-2023-30544

To remediate CVE-2023-30544, upgrade the affected package to a fixed version below.

—upgrade to 12.2 or later

Is CVE-2023-30544 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 12.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	NONE0.0	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-30544
PATCHgithub.com/kiwitcms/Kiwi
WEBgithub.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg
WEBhuntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85
WEB