Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-4mkq-zptr-zqe9
Vulnerability ID VCID-4mkq-zptr-zqe9
Aliases CVE-2023-27489
GHSA-2wcr-87wf-cf9j
Summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to serve with the `Content-Security-Policy` HTTP header which blocks inline JavaScript in all modern browsers. This configuration change is provided in version 12.1 and users are advised to upgrade. Users unable to upgrade may set their `Content-Security-Policy` HTTP header manually.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0071 https://api.first.org/data/v1/epss?cve=CVE-2023-27489
epss 0.0071 https://api.first.org/data/v1/epss?cve=CVE-2023-27489
epss 0.0071 https://api.first.org/data/v1/epss?cve=CVE-2023-27489
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-2wcr-87wf-cf9j
cvssv3.1 7.6 https://github.com/kiwitcms/Kiwi
generic_textual HIGH https://github.com/kiwitcms/Kiwi
cvssv3.1 7.6 https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077
generic_textual HIGH https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077
ssvc Track https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077
cvssv3.1 7.6 https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j
cvssv3.1_qr HIGH https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j
generic_textual HIGH https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j
ssvc Track https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j
cvssv3.1 7.6 https://nvd.nist.gov/vuln/detail/CVE-2023-27489
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-27489
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-27489
https://github.com/kiwitcms/Kiwi
https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077
CVE-2023-27489 https://nvd.nist.gov/vuln/detail/CVE-2023-27489
GHSA-2wcr-87wf-cf9j https://github.com/advisories/GHSA-2wcr-87wf-cf9j
GHSA-2wcr-87wf-cf9j https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L Found at https://github.com/kiwitcms/Kiwi
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L Found at https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:01:19Z/ Found at https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:01:19Z/ Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-27489
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.72643
EPSS Score 0.0071
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:44:23.493164+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/kiwitcms/Kiwi/CVE-2023-27489.yml 38.6.0