I made a video where a basic user (not an admin) creates a testplan. When Admin goes into the history of the testplan created by the basic user, the XSS will appear (stored blind XSS)

POC:

https://drive.google.com/file/d/1FlGvATGWKWXXoMB6h2Z-JOX1gVhkssx5/view?usp=share_link

Patch in https://github.com/kiwitcms/Kiwi/pull/2970. Will update this bounty once we have packaged an updated version in the next few days.

Will this vulnerability recognized as a CVE?

@admin this is my first time using this platform. Could I know if I will be able to have a cve being a framework with more than a million downloads? Can I possibly report the cve a miter? Plus I don't understand how it works, will I have a bounty for vulnerability?

Hi Antonio, welcome! Our systems recognise popular repos and will ask the maintainer to assign a CVE automatically as soon as they're ready to publish your vulnerability. Unfortunately, this report doesn't have a bounty associated with it.

To go to MITRE you must be a CNA. In our case, we put that ability in the hands of the maintainer.

Hope that helps! Feel free to directly message us if anything else is unclear :)

perfect, thank you so much for the clarification. I will look forward to the recognition of CVE.

@maintainer Hi, I saw that a new software version has been released dated 09 November and a vulnerability fix has been implemented. In the changelog it says "Sanitize HTML input when generating history diff to prevent XSS attacks". I would like to know from the maintainer if it was possible now that it has been fixed to get the CVE and make the vulnerability public. https://kiwitcms.readthedocs.io/en/latest/changelog.html

@admin for the admin, I have no idea if the maintainer is able to see this message or not, if not I would appreciate if you could ask for updates, as the patch has now been released and the software up to date. I would like to know less if the CVE will be released in the future because I don't quite understand if the mainteiner wants to release it or not.

Hi again Antonio! Could you please nudge them to publish it and assign a CVE via their security.md email?

Hi, I wrote a mail to the team as you suggested, thanks a lot for your reply :)

@admin the team replied to me with: "You can make the vulnerability public, but we don't know how to create a CVE number because we've not done this before."

What should i tell him? Could you explain to me how they should do it or possibly contact them? For me it is not a problem to act as an intermediary.

For now I answered like this, let me know what to do: "I reported the vulnerability from huntr.dev. They have the necessary permissions to let you perform the CVE request and they replied to me with the following text: "To go to MITRE you must be a CNA. In our case, we put that ability in the hands of the maintainer. (meaning kiwitcms maintainer)". I contacted their team again, asking about the CVE assignment process so you can go through it, it shouldn't be anything complicated, I think it takes a few minutes and filling out an online form, and for me as a security analyst it's a great reason to be proud if you could do it. If you recognize me the CVE, I would analyze more versions of your software for free, and like me other cyber security analysts who believe in open source would do it. I will contact you with the info on how to do it or eventually they will contact you (huntr.dev). Since the framework has over a million downloads and huntr.dev gives the ability for you as a team to assign a CVE, and since the vulnerability was quite severe I'd like a CVE code to be assigned.

hope to hear from you soon, have a nice day Antonio Rocco Spataro"

@admin any update?