CVE-2023-30613

Name of the Vulnerable Software and Affected Versions Kiwi TCMS versions prior to 12.2

Description The issue allows users to upload attachments to test plans, test cases, etc., without control over the types of files that can be uploaded. A malicious actor may upload an .exe file or a file containing embedded JavaScript, potentially tricking others into clicking on these files and causing vulnerable browsers to execute malicious code on another computer. This could lead to cross-site scripting (XSS) attacks. Kiwi TCMS version 12.2 introduces functionality for administrators to configure additional upload validator functions, giving them more control over accepted file types. By default, .exe files are denied, as are files containing the <script> tag, due to their potential for XSS attacks.

Recommendations Upgrade to Kiwi TCMS version 12.2 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to trusted users or disabling the file upload feature until the upgrade is possible. Administrators can also configure additional upload validator functions to deny specific file types, such as .exe files or files containing the <script> tag.