CVE-2023-33977: Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, ...

Description

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross-site-scripting attacks. The upload validation checks were not 100% robust which left the possibility to circumvent them and upload a potentially dangerous file which allows execution of arbitrary JavaScript in the browser. Additionally we've discovered that Nginx's `proxy_pass` directive will strip some headers negating protections built into Kiwi TCMS when served behind a reverse proxy. This issue has been addressed in version 12.4. Users are advised to upgrade. Users unable to upgrade who are serving Kiwi TCMS behind a reverse proxy should make sure that additional header values are still passed to the client browser. If they aren't redefining them inside the proxy configuration.

Metrics

CVSS 3.1

5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.87%

54.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Kiwitcms	Kiwi Tcms	<= 12.3

References

https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68Product
https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87Product
https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034Patch
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98Mitigation, Vendor Advisory
https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68Product
https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87Product
https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034Patch
https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98Mitigation, Vendor Advisory
https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/Exploit, Issue Tracking, Patch, Third Party Advisory

Timeline

Published: Jun 6, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-33977?

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross-site-scripting attacks. The upload validation checks were not 100% robust which left the possibility to circumvent them and upload a potentially dangerous file which allows execution of arbitrary JavaScript in the browser. Additionally we've discovered that Nginx's `proxy_pass` directive will strip some headers negating protections built into Kiwi TCMS when served behind a reverse proxy. This issue has been addressed in version 12.4. Users are advised to upgrade. Users unable to upgrade who are serving Kiwi TCMS behind a reverse proxy should make sure that additional header values are still passed to the client browser. If they aren't redefining them inside the proxy configuration.

How severe is CVE-2023-33977?

CVE-2023-33977 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.87% probability of exploitation in the next 30 days.

How do I fix CVE-2023-33977?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.