CVE-2023-33977

Name of the Vulnerable Software and Affected Versions Kiwi TCMS versions prior to 12.4

Description The issue is related to the lack of protection of the web page structure in Kiwi TCMS, allowing a remote attacker to upload arbitrary attachments to test plans and test cases. Earlier versions of Kiwi TCMS had introduced upload validators and Content-Security-Policy definitions to prevent cross-site-scripting attacks, but the upload validation checks were not robust, leaving the possibility to circumvent them and upload potentially dangerous files. This allows the execution of arbitrary JavaScript in the browser. Additionally, Nginx's proxy pass directive can strip some headers, negating protections built into Kiwi TCMS when served behind a reverse proxy.

Recommendations For versions prior to 12.4, upgrade to version 12.4 or later to address the issue. For users unable to upgrade who are serving Kiwi TCMS behind a reverse proxy, make sure that additional header values are still passed to the client browser. If they aren't, redefine them inside the proxy configuration. As a temporary workaround, consider improving file upload validation code and updating Nginx reverse proxy configuration to prevent exploitation.