CVE-2023-30613
📋 TL;DR
Kiwi TCMS versions before 12.2 allow unrestricted file uploads, enabling attackers to upload malicious files like executables or JavaScript-containing files. This could lead to remote code execution or cross-site scripting attacks when users download and open these files. All Kiwi TCMS instances running vulnerable versions are affected.
💻 Affected Systems
- Kiwi TCMS
📦 What is this software?
Kiwi Tcms by Kiwitcms
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on client systems when users download and execute malicious uploaded files, potentially leading to full system compromise.
Likely Case
Cross-site scripting attacks via malicious JavaScript files, leading to session hijacking, credential theft, or client-side attacks.
If Mitigated
No impact if proper file type validation is implemented and users follow safe download practices.
🎯 Exploit Status
Exploitation requires authenticated access to upload files, but the attack itself is simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.2
Vendor Advisory: https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj
Restart Required: Yes
Instructions:
1. Backup your Kiwi TCMS database and configuration. 2. Upgrade to version 12.2 or later using your package manager or installation method. 3. Restart the Kiwi TCMS service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Manual file validation
allImplement custom middleware or validation to block executable files and files containing script tags
Not applicable - requires custom code implementation
🧯 If You Can't Patch
- Implement web application firewall rules to block uploads of executable files and files containing script tags
- Disable file upload functionality entirely if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check Kiwi TCMS version - if below 12.2, it's vulnerable. Attempt to upload a file with .exe extension or containing <script> tags - if successful, vulnerable.Check Version:
Check the Kiwi TCMS web interface admin panel or run: python -c "import tcms; print(tcms.__version__)"Verify Fix Applied:
After upgrading to 12.2+, attempt to upload .exe files or files containing <script> tags - these should be rejected.📡 Detection & Monitoring
Log Indicators:
- File uploads with suspicious extensions (.exe, .js, .vbs)
- Large number of file upload attempts
- Failed upload attempts after upgrade to 12.2+
Network Indicators:
- HTTP POST requests to upload endpoints with suspicious file types
- Unusual file download patterns from Kiwi TCMS
SIEM Query:
source="kiwi_tcms" AND (event="file_upload" AND (file_extension="exe" OR file_extension="js" OR file_extension="vbs"))🔗 References
- https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj
- https://huntr.dev/bounties/c30d3503-600d-4d00-9571-98826a51f12c
- https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
- https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj
- https://huntr.dev/bounties/c30d3503-600d-4d00-9571-98826a51f12c
- https://kiwitcms.org/blog/kiwi-tcms-team/2023/04/23/kiwi-tcms-122/
- https://huntr.com/bounties/c30d3503-600d-4d00-9571-98826a51f12c
