VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-vwh4-vx7r-rfg9

Essentials
Severities (26)
References (13)
Severity details (25)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-vwh4-vx7r-rfg9
Aliases	CVE-2023-33977 GHSA-2fqm-m4r2-fh98
Summary	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and `Content-Security-Policy` definition to prevent cross-site-scripting attacks. The upload validation checks were not 100% robust which left the possibility to circumvent them and upload a potentially dangerous file which allows execution of arbitrary JavaScript in the browser. Additionally we've discovered that Nginx's `proxy_pass` directive will strip some headers negating protections built into Kiwi TCMS when served behind a reverse proxy. This issue has been addressed in version 12.4. Users are advised to upgrade. Users unable to upgrade who are serving Kiwi TCMS behind a reverse proxy should make sure that additional header values are still passed to the client browser. If they aren't redefining them inside the proxy configuration.
Status	Published
Exploitability	0.5
Weighted Severity	0.0
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-434	Unrestricted Upload of File with Dangerous Type

System	Score	Found at
epss	0.04614	https://api.first.org/data/v1/epss?cve=CVE-2023-33977
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-2fqm-m4r2-fh98
cvssv3.1	8.1	https://github.com/kiwitcms/Kiwi
generic_textual	HIGH	https://github.com/kiwitcms/Kiwi
cvssv3.1	8.1	https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68
generic_textual	HIGH	https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68
ssvc	Track*	https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68
cvssv3.1	8.1	https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87
generic_textual	HIGH	https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87
ssvc	Track*	https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87
cvssv3.1	8.1	https://github.com/kiwitcms/kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034
generic_textual	HIGH	https://github.com/kiwitcms/kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034
cvssv3.1	8.1	https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034
ssvc	Track*	https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034
cvssv3.1	8.1	https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98
cvssv3.1_qr	HIGH	https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98
generic_textual	HIGH	https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98
ssvc	Track*	https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98
cvssv3.1	8.1	https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96
generic_textual	HIGH	https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96
cvssv3.1	8.1	https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/
ssvc	Track*	https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/
cvssv3.1	8.1	https://kiwitcms.org/blog/kiwi-tcms-team/2023/06/06/kiwi-tcms-124
generic_textual	HIGH	https://kiwitcms.org/blog/kiwi-tcms-team/2023/06/06/kiwi-tcms-124
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2023-33977
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-33977

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-33977
		https://github.com/kiwitcms/Kiwi
		https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68
		https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87
		https://github.com/kiwitcms/kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034
		https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96
		https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/
		https://kiwitcms.org/blog/kiwi-tcms-team/2023/06/06/kiwi-tcms-124
		https://kiwitcms.org/blog/kiwi-tcms-team/2023/06/06/kiwi-tcms-124/
CVE-2023-33977		https://nvd.nist.gov/vuln/detail/CVE-2023-33977
d789f4b51025de4f8c747c037d02e1b0da80b034		https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034
GHSA-2fqm-m4r2-fh98		https://github.com/advisories/GHSA-2fqm-m4r2-fh98
GHSA-2fqm-m4r2-fh98		https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/kiwitcms/Kiwi

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-07T18:29:53Z/ Found at https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-07T18:29:53Z/ Found at https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/kiwitcms/kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-07T18:29:53Z/ Found at https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-07T18:29:53Z/ Found at https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-07T18:29:53Z/ Found at https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://kiwitcms.org/blog/kiwi-tcms-team/2023/06/06/kiwi-tcms-124

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-33977

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.89431
EPSS Score	0.04614
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T21:00:47.380866+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/kiwitcms/CVE-2023-33977.yml	38.6.0