CVE-2023-30613: Unrestricted file upload in kiwi TCMS
(updated )
Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. In earlier versions there is no control over what kinds of files can be uploaded. Thus a malicious actor may upload an .exe file or a file containing embedded JavaScript and trick others into clicking on these files causing vulnerable browsers to execute malicious code on another computer or attempting XSS attacks.
Stored XSS attacks via file uploads have been fixed in earlier versions of Kiwi TCMS, see GHSA-2wcr-87wf-cf9j. This advisory deals with prohibiting users to upload potentially compromised files in the first place.
References
- github.com/advisories/GHSA-fwcf-753v-fgcj
- github.com/kiwitcms/Kiwi
- github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj
- huntr.com/bounties/c30d3503-600d-4d00-9571-98826a51f12c
- huntr.dev/bounties/c30d3503-600d-4d00-9571-98826a51f12c
- kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122
- nvd.nist.gov/vuln/detail/CVE-2023-30613
Code Behaviors & Features
Detect and mitigate CVE-2023-30613 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →