This repository addresses the stored XSS vulnerability discovered in the kiwitcms/kiwi application, which was assigned the CVE-2023-33977 identifier. The vulnerability allows for the execution of malicious scripts via SVG file uploads. When an SVG file containing the payload is uploaded, the script gets executed in the context of the victim's browser, potentially leading to data theft, account compromise, and the distribution of malware.
A detailed proof of concept for this vulnerability can be found in the following video:
The impact of this vulnerability is significant and poses a serious risk to the security and integrity of the kiwitcms/kiwi application. Attackers can leverage this vulnerability to inject malicious scripts into the website, potentially allowing them to steal sensitive information, hijack user sessions, deface the website, manipulate content, and launch phishing attacks. These actions can result in reputational damage, compromised user accounts, and the dissemination of malware throughout the system.
For more details on this vulnerability, please refer to the following resources:
- huntr.dev Report
- Medium Blog - Stored XSS Via SVG Upload in kiwitcms/kiwi
You can also follow me for updates on my research and other security-related topics:
- Instagram: @mnqazi
- Twitter: @mnqazi
- Facebook: @mnqazi
- LinkedIn: M Nadeem Qazi
Let's prioritize security and protect our systems from potential threats. Stay vigilant! 💻🔒