CVE-2023-32686
📋 TL;DR
CVE-2023-32686 is a cross-site scripting (XSS) vulnerability in Kiwi TCMS that allows attackers to bypass file upload validation and upload malicious files. When combined with other files, these can circumvent the Content Security Policy and execute arbitrary JavaScript in users' browsers. All Kiwi TCMS instances running versions before 12.3 are affected.
💻 Affected Systems
- Kiwi TCMS
📦 What is this software?
Kiwi Tcms by Kiwitcms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as authenticated users, or delivering malware to users.
Likely Case
Attackers upload malicious files that execute JavaScript payloads, leading to session hijacking, account takeover, or data exfiltration from authenticated users.
If Mitigated
With proper input validation and Content Security Policy enforcement, malicious file uploads would be blocked, preventing JavaScript execution.
🎯 Exploit Status
Exploitation requires uploading multiple files that work together to bypass CSP. Attackers need to understand the specific validation bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.3
Vendor Advisory: https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-x7c2-7wvg-jpx7
Restart Required: Yes
Instructions:
1. Backup your Kiwi TCMS database and configuration. 2. Update Kiwi TCMS to version 12.3 or later using your package manager or deployment method. 3. Restart the Kiwi TCMS service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable file upload functionality in Kiwi TCMS to prevent exploitation
Modify Kiwi TCMS configuration to disable file uploads (specific method depends on deployment)
Implement WAF rules
allConfigure web application firewall to block malicious file upload patterns
Add WAF rules to block suspicious file uploads and JavaScript execution attempts
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to limit script execution
- Monitor file uploads for suspicious patterns and review uploaded files regularly
🔍 How to Verify
Check if Vulnerable:
Check Kiwi TCMS version. If version is below 12.3, the system is vulnerable.Check Version:
Check Kiwi TCMS web interface or run appropriate command for your deployment methodVerify Fix Applied:
Verify Kiwi TCMS version is 12.3 or higher and test file upload functionality with various file types.📡 Detection & Monitoring
Log Indicators:
- Multiple file uploads from single user in short timeframe
- Uploads of files with unusual extensions or content types
- JavaScript execution errors in browser logs
Network Indicators:
- HTTP POST requests to upload endpoints with suspicious file content
- Multiple file uploads followed by script execution attempts
SIEM Query:
source="kiwi_tcms" AND (event="file_upload" AND (file_extension="js" OR file_extension="html" OR file_extension="svg"))