CVE-2023-27489 – Kiwi TCMS versions before 12.1 are vulnerable t... (How to Fix)

Q: What is the severity of CVE-2023-27489?

CVE-2023-27489 has a CVSS score of 7.6 (HIGH). Kiwi TCMS versions before 12.1 are vulnerable to cross-site scripting (XSS) via malicious SVG file uploads. When users upload SVG files containing JavaScript and view them directly (not embedded in HTML), the JavaScript executes in their browser. This affects all Kiwi TCMS instances with SVG upload functionality enabled.

📋 TL;DR

Kiwi TCMS versions before 12.1 are vulnerable to cross-site scripting (XSS) via malicious SVG file uploads. When users upload SVG files containing JavaScript and view them directly (not embedded in HTML), the JavaScript executes in their browser. This affects all Kiwi TCMS instances with SVG upload functionality enabled.

💻 Affected Systems

Products:

Kiwi TCMS

Versions: All versions before 12.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SVG upload functionality to be enabled and users to view uploaded SVG files directly.

📦 What is this software?

Kiwi Tcms by Kiwitcms

View all CVEs affecting Kiwi Tcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.

🟠

Likely Case

Attackers upload malicious SVG files, trick users into viewing them, and steal session tokens or perform limited actions within the application.

🟢

If Mitigated

With proper Content-Security-Policy headers, modern browsers block inline JavaScript execution, preventing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access to upload SVG files and social engineering to get victims to view them directly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1

Vendor Advisory: https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j

Restart Required: Yes

Instructions:

1. Backup your Kiwi TCMS instance. 2. Upgrade to version 12.1 or later. 3. Restart the Kiwi TCMS service. 4. Verify the Content-Security-Policy header is present in HTTP responses.

🔧 Temporary Workarounds

Manual Content-Security-Policy Header

all

Configure your web server or reverse proxy to add Content-Security-Policy header blocking inline JavaScript.

For nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';" always;
For Apache: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
For IIS: Add custom HTTP response header with name Content-Security-Policy and value default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Disable SVG file upload functionality in Kiwi TCMS configuration.
Implement web application firewall (WAF) rules to block SVG files containing JavaScript patterns.

🔍 How to Verify

Check if Vulnerable:

Check if Kiwi TCMS version is below 12.1 and if SVG uploads are enabled. Test by uploading an SVG file with JavaScript content and viewing it directly.

Check Version:

Check Kiwi TCMS web interface admin panel or run: docker exec kiwi_tcms python -c "import tcms; print(tcms.__version__)"

Verify Fix Applied:

After upgrade, verify HTTP responses include Content-Security-Policy header. Test SVG upload with JavaScript - it should not execute when viewed directly.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads from single users
Multiple failed SVG upload attempts
Requests to directly view uploaded SVG files

Network Indicators:

HTTP requests for SVG files with suspicious parameters
Lack of Content-Security-Policy headers in responses

SIEM Query:

source="kiwi_tcms" AND (event="file_upload" AND file_extension="svg") | stats count by user

📊 Metadata

CVE ID: CVE-2023-27489

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-79

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077 Patch
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j Patch,Vendor Advisory
https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077 Patch
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27489, you might also want to check these: