CVE-2023-30613

Advisory

Affected versions of Kiwi TCMS prior to 12.2 are vulnerable to unrestricted file uploads. Malicious actors may upload .exe files or files containing embedded JavaScript, potentially causing browsers to execute malicious code when clicked. The attack vector relies on tricking users into interacting with these files via the attachment upload functionality for test plans and test cases. There are no known workarounds aside from upgrading. Mitigation is achieved by upgrading to v12.2, which includes configurable upload validator functions that deny .exe files and any files containing the <script> tag.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://huntr.dev/bounties/c30d3503-600d-4d00-9571-98826a51f12c
• https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
• https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj
• https://nvd.nist.gov/vuln/detail/CVE-2023-30613
• https://github.com/kiwitcms/Kiwi
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30613