Kiwi Tcms · Kiwi Tcms · CVE-2023-32686
**Name of the Vulnerable Software and Affected Versions**
Kiwi TCMS versions prior to 12.3
**Description**
The issue arises from insufficient upload validation checks in Kiwi TCMS, allowing an attacker to upload potentially dangerous files. These files can be combined to circumvent the existing Content-Security-Policy, enabling the execution of arbitrary JavaScript in the browser.
**Recommendations**
For versions prior to 12.3, update to version 12.3 to resolve the issue.
As a temporary workaround, consider implementing a custom Django middleware, such as `ExtraHeadersMiddleware`, to force the `Content-Type: text/plain` header when serving uploaded files.
Alternatively, force the `Content-Type` header via Nginx overrides, specifically for the `/uploads/` location.