Home > Vulnerability Database > CVE-2023-27489

Mend.io Vulnerability Database

CVE-2023-27489

Good to know:

Date: March 29, 2023

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. This configuration change is provided in version 12.1 and users are advised to upgrade. Users unable to upgrade may set their Content-Security-Policy HTTP header manually.

Language: Python

Severity Score

7.6

Related Resources (5)

Url: https://github.com/kiwitcms/Kiwi

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-27489

Url: https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j

Url: https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077

Url: https://www.mend.io/vulnerability-database/CVE-2023-27489

Severity Score

7.6

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version kiwitcms - 12.1

Learn More

CVSS v3.1

Base Score:	7.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-27489

Good to know:

Date: March 29, 2023

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?