7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27489

GHSA ID

GHSA-2wcr-87wf-cf9j

EPSS Score

0.61577%

CWE

CWE-79

Published

3/30/2023

Updated

4/6/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-27489

CVE-2023-27489: Kiwi TCMS Stored Cross-site Scripting via SVG file

Impact

Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute.

Patches

This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers.

Workarounds

Configure Content-Security-Policy header, see commit 6617cee0.

References

You can visit https://digi.ninja/blog/svg_xss.php for more technical details.

Independently disclosed by Antonio Spataro and @1d8.

(GitHub Advisory)

7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27489

GHSA ID

GHSA-2wcr-87wf-cf9j

EPSS Score

0.61577%

CWE

CWE-79

Published

3/30/2023

Updated

4/6/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
kiwitcms	pip	< 12.1	12.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

### Imp**t Kiwi T*MS ****pts SV* *il*s uplo**** *y us*rs w*i** *oul* pot*nti*lly *ont*in J*v*S*ript *o**. I* SV* im***s *r* vi*w** *ir**tly, i.*. not r*n**r** in *n *TML p***, t*is J*v*S*ript *o** *oul* *x**ut*. ### P*t***s T*is vuln*r**ility **s *

Reasoning

No *n*lysis *v*il**l*

7.6

Basic Information

Concerned about an active attack path?

CVE-2023-27489: Kiwi TCMS Stored Cross-site Scripting via SVG file

Impact

Patches

Workarounds

References

7.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI