CVE-2023-30613

HIGH

Kiwitcms Kiwi Tcms < 12.2 - Unrestricted File Upload

Title source: rule

Description

Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading.

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://huntr.com/bounties/c30d3503-600d-4d00-9571-98826a51f12c

Vendor Advisory x_refsource_confirm

https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj

Permissions Required x_refsource_misc

https://huntr.dev/bounties/c30d3503-600d-4d00-9571-98826a51f12c

Release Notes x_refsource_misc

https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/

Scores

CVSS v3 8.1

EPSS 0.0069

EPSS Percentile 71.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

kiwitcms/kiwi_tcms < 12.2

pypi/kiwitcms 0 - 12.2PyPI

Published Apr 24, 2023

Tracked Since Feb 18, 2026