mnqazi / CVE-2023-33977

Read more at Medium

Home Page:https://medium.com/@mnqazi/stored-xss-vulnerability-in-kiwitcms-kiwi-cve-2023-33977-1234567890

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2023-33977

Stored XSS Via SVG Upload in kiwitcms/kiwi - by M Nadeem Qazi

Description

This repository addresses the stored XSS vulnerability discovered in the kiwitcms/kiwi application, which was assigned the CVE-2023-33977 identifier. The vulnerability allows for the execution of malicious scripts via SVG file uploads. When an SVG file containing the payload is uploaded, the script gets executed in the context of the victim's browser, potentially leading to data theft, account compromise, and the distribution of malware.

Proof of Concept

A detailed proof of concept for this vulnerability can be found in the following video:

Proof of Concept

Impact

The impact of this vulnerability is significant and poses a serious risk to the security and integrity of the kiwitcms/kiwi application. Attackers can leverage this vulnerability to inject malicious scripts into the website, potentially allowing them to steal sensitive information, hijack user sessions, deface the website, manipulate content, and launch phishing attacks. These actions can result in reputational damage, compromised user accounts, and the dissemination of malware throughout the system.

References

For more details on this vulnerability, please refer to the following resources:

You can also follow me for updates on my research and other security-related topics:

Let's prioritize security and protect our systems from potential threats. Stay vigilant! 💻🔒