PT-2023-21164 · Kiwi Tcms · Kiwi Tcms

Antoniospataro

Publicado

2023-03-29

Atualizado

2023-04-06

CVE-2023-27489

CVSS v3.1

7.6

Alta

Vetor

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions Kiwi TCMS versions prior to 12.1

Description The issue arises from Kiwi TCMS accepting SVG files uploaded by users, which could contain JavaScript code. If these SVG images are viewed directly, the JavaScript code could execute. This has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header, which blocks inline JavaScript in all modern browsers.

Recommendations For versions prior to 12.1, upgrade to version 12.1 to resolve the issue. As a temporary workaround for users unable to upgrade, manually set the Content-Security-Policy HTTP header to block inline JavaScript.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2023-27489

GHSA-2WCR-87WF-CF9J

Produtos afetados

Kiwi Tcms

PT-2023-21164 · Kiwi Tcms · Kiwi Tcms

CVE-2023-27489

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7