SCA: security update for kiwitcms (GHSA-fwcf-753v-fgcj)

critical Tenable Cloud Security Plugin ID 414731

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test
cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be
uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and
trick others into clicking on these files, causing vulnerable browsers to execute malicious code on
another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure
additional upload validator functions which give them more control over what file types are accepted for
upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type
are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading.
(CVE-2023-30613)

See Also

https://github.com/advisories/GHSA-fwcf-753v-fgcj

Plugin Details

Severity: Critical

ID: 414731

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-30613

CVSS v3

Risk Factor: Critical

Base Score: 9

Temporal Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/23/2023

Vulnerability Publication Date: 4/23/2023

Reference Information

CVE: CVE-2023-30613

cwe: CWE-434