Recent Vulnerabilities Research Posts Trends Blog About Contact

Published: 24/04/2023 Updated: 03/05/2023

CVSS v3 Base Score: 9 | Impact Score: 6 | Exploitability Score: 2.3

VMScore: 0

Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS before 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading.

Vulnerable Product	Search on Vulmon	Subscribe to Product
kiwitcms kiwi tcms

CWE-434 https://huntr.dev/bounties/c30d3503-600d-4d00-9571-98826a51f12c https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-30613

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect