CVE-2023-27489

Stored cross site scripting via SVG file upload in Kiwi TCMS

Description

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. This configuration change is provided in version 12.1 and users are advised to upgrade. Users unable to upgrade may set their Content-Security-Policy HTTP header manually.

Category

7.6
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.43%
Vendor Advisory github.com
Affected: kiwitcms Kiwi
Published at:
Updated at:

References

Link Tags
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j patch vendor advisory
https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077 patch

Frequently Asked Questions

What is the severity of CVE-2023-27489?
CVE-2023-27489 has been scored as a high severity vulnerability.
How to fix CVE-2023-27489?
To fix CVE-2023-27489, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-27489 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-27489 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-27489?
CVE-2023-27489 affects kiwitcms Kiwi.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.