XSS in Kiwitcms Kiwi
CVE-2023-36809
Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in or…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.007 (72.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.
Affected products
- Kiwitcms Kiwi — versions < 12.5
Weakness classification (CWE)
References
- https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-jpgw-2r9m-8qfw (x_refsource_CONFIRM)
- https://huntr.dev/bounties/511489dd-ba38-4806-9029-b28ab2830aa8/ (x_refsource_MISC)
- https://huntr.dev/bounties/c6eeb346-fa99-4d41-bc40-b68f8d689223/ (x_refsource_MISC)
- https://kiwitcms.org/blog/kiwi-tcms-team/2023/07/04/kiwi-tcms-125/ (x_refsource_MISC)
- https://www.github.com/kiwitcms/kiwi/commit/195ea53eaaf360c19227c864cc0fe58910032c3c (x_refsource_MISC)
- https://www.github.com/kiwitcms/kiwi/commit/ffb00450be52fe11a82a2507632c2328cae4ec9d (x_refsource_MISC)
Frequently asked questions
- What is CVE-2023-36809?
- CVE-2023-36809 is a high-severity vulnerability in Kiwitcms Kiwi, classified under Cross-site Scripting. CVSS score: 8.1/10. Published 2023-07-05.
- How severe is CVE-2023-36809?
- High severity. CVSS v3 base score is 8.1 out of 10.