CVE-2023-27489

Name of the Vulnerable Software and Affected Versions Kiwi TCMS versions prior to 12.1

Description The issue arises from Kiwi TCMS accepting SVG files uploaded by users, which could contain JavaScript code. If these SVG images are viewed directly, the JavaScript code could execute. This has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header, which blocks inline JavaScript in all modern browsers.

Recommendations For versions prior to 12.1, upgrade to version 12.1 to resolve the issue. As a temporary workaround for users unable to upgrade, manually set the Content-Security-Policy HTTP header to block inline JavaScript.