Lucene search

GitHub Advisory DatabaseGHSA-2WCR-87WF-CF9J

HistoryMar 30, 2023 - 8:18 p.m.

Kiwi TCMS Stored Cross-site Scripting via SVG file

2023-03-3020:18:29

CWE-79

GitHub Advisory Database

github.com

kiwi tcms

svg file

cross-site scripting

content-security-policy

patch

vulnerability

javascript

browser

workaround

references

antonio spataro

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

EPSS

0.001

Percentile

21.0%

JSON

Impact

Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute.

Patches

This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers.

Workarounds

Configure Content-Security-Policy header, see commit 6617cee0.

References

You can visit https://digi.ninja/blog/svg_xss.php for more technical details.

Independently disclosed by Antonio Spataro and @1d8.

Affected configurations

Vulners

Node

kiwitcmsRange<12.1

VendorProductVersionCPE
*kiwitcms*cpe:2.3:a:*:kiwitcms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	kiwitcms	*	cpe:2.3:a::kiwitcms::::::::*

References

github.com/advisories/GHSA-2wcr-87wf-cf9j

github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077

github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j

nvd.nist.gov/vuln/detail/CVE-2023-27489

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

EPSS

0.001

Percentile

21.0%

JSON

Related for GHSA-2WCR-87WF-CF9J