Cross-site Scripting in kiwitcms

2022-11-2121:30:15

Google

osv.dev

cross-site scripting

kiwitcms

stored xss

test plan

malicious javascript

html injection

ui redressing attack

clickjacking

history page

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.6%

JSON

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack (clickjacking) and an HTML injection which disables the use of the history page.

CPENameOperatorVersion
kiwitcmseq8.7
kiwitcmseq9.999
kiwitcmseq6.5
kiwitcmseq8.0
kiwitcmseq7.2
kiwitcmseq10.0
kiwitcmseq7.0
kiwitcmseq7.1
kiwitcmseq8.2
kiwitcmseq11.0