Skip to main content

Kiwi Tcms CVE-2023-27489

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-03-29 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 29, 2023 - 19:15 nvd
MEDIUM 5.4

DescriptionNVD

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. This configuration change is provided in version 12.1 and users are advised to upgrade. Users unable to upgrade may set their Content-Security-Policy HTTP header manually.

AnalysisAI

Kiwi TCMS is an open source test management system for both manual and automated testing. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. This configuration change is provided in version 12.1 and users are advised to upgrade. Users unable to upgrade may set their Content-Security-Policy HTTP header manually. Affected products include: Kiwitcms Kiwi Tcms. Version information: version 12.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-30613 CRITICAL POC
9.0 Apr 24

Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. Rat

CVE-2023-30628 HIGH POC
8.8 Apr 24

Kiwi TCMS is an open source test management system. Rated high severity (CVSS 8.8), this vulnerability is remotely explo

CVE-2023-25156 CRITICAL
9.8 Feb 15

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. Rated critical

CVE-2023-36809 MEDIUM POC
5.4 Jul 05

Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Rate

CVE-2023-33977 MEDIUM POC
5.4 Jun 06

Kiwi TCMS is an open source test management system for both manual and automated testing. Rated medium severity (CVSS 5.

CVE-2022-4105 MEDIUM POC
5.4 Nov 21

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a

CVE-2023-22451 HIGH
8.8 Jan 02

Kiwi TCMS is an open source test management system. Rated high severity (CVSS 8.8), this vulnerability is remotely explo

CVE-2023-25171 MEDIUM
5.9 Feb 15

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. Rated medium se

CVE-2023-32686 MEDIUM
5.4 May 27

Kiwi TCMS is an open source test management system for both manual and automated testing. Rated medium severity (CVSS 5.

CVE-2023-30544 MEDIUM
4.3 Apr 24

Kiwi TCMS is an open source test management system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exp

Share

CVE-2023-27489 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy