CVE-2023-32686

Name of the Vulnerable Software and Affected Versions Kiwi TCMS versions prior to 12.3

Description The issue arises from insufficient upload validation checks in Kiwi TCMS, allowing an attacker to upload potentially dangerous files. These files can be combined to circumvent the existing Content-Security-Policy, enabling the execution of arbitrary JavaScript in the browser.

Recommendations For versions prior to 12.3, update to version 12.3 to resolve the issue. As a temporary workaround, consider implementing a custom Django middleware, such as ExtraHeadersMiddleware, to force the Content-Type: text/plain header when serving uploaded files. Alternatively, force the Content-Type header via Nginx overrides, specifically for the /uploads/ location.