Stored XSS in kiwiTCMS in kiwitcms/kiwi


Reported on

Nov 23rd 2022


Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit malicious extensions like svg file. Due to this stored xss it is possible to become admin problably, and perform other malicious actions using the api endpoint, I will try later on a local instance and I will let you know.

Not sanitizing extensions could lead to more serious things, such as SSRF or RCE. I didn't test those, stopped as soon as I saw that you could upload SVG files.

Proof of Concept

1 - Upload a malicous svg file and a link to the new file will be generated in the server.

Upload this file (save the file with .svg extension):

<?xml version="1.0" encoding="utf-8"?>
<!-- Svg Vector Icons : -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">
<svg version="1.1" xmlns="" xmlns:xlink="" x="0px" y="0px" viewBox="0 0 1000 1000" enable-background="new 0 0 1000 1000" xml:space="preserve">
<metadata> Svg Vector Icons : </metadata>
<g><g transform="translate(0.000000,511.000000) scale(0.100000,-0.100000)"><path d="M974.7,3376.1c-105.3-28.7-212.5-120.6-260.3-222c-26.8-61.3-30.6-327.3-36.4-2894.1l-3.8-2829H387.1H100v-111v-109.1l250.7-197.1l250.7-195.2H5000h4398.5l250.8,195.2l250.7,197.1v109.1v111h-287.1h-287.1V206.5c0,1965.7-5.7,2802.2-21,2873c-28.7,135.9-139.7,254.6-271.8,294.8c-84.2,24.9-585.7,28.7-4031,26.8C1847.5,3401,1047.5,3395.3,974.7,3376.1z M8985.1,3062.2c21.1-21.1,24.9-553.2,24.9-2823.2v-2798.4l-1560-5.7l-1561.9-3.8l-34.5-67c-21-38.3-68.9-86.1-105.3-111c-67-42.1-78.5-42.1-748.4-42.1c-648.9,0-683.3,1.9-746.5,38.3c-36.4,23-84.2,72.7-105.3,111l-38.3,70.8H2557.7H1003.4l-9.6,61.3c-15.3,80.4-15.3,5443.6-1.9,5514.4c5.7,30.6,28.7,61.3,51.7,70.8c24.9,9.6,1770.5,15.3,3979.3,13.4C8223.3,3087.1,8964,3083.3,8985.1,3062.2z"/><path d="M1296.3,2786.6c-5.7-13.4-7.7-1152.3-5.7-2532.3l5.7-2507.4H5000h3703.7V273.4V2800l-3699.9,5.7C2054.3,2809.6,1302,2805.7,1296.3,2786.6z M5415.4,2269.8c-3.8-13.4-157-409.6-340.7-880.5l-329.2-857.5h-84.2h-82.3l36.4,91.9c19.1,49.8,172.3,446,338.8,880.5l302.4,788.6h84.2C5400,2292.8,5423,2285.1,5415.4,2269.8z M4425.8,1833.4v-76.6l-482.3-241.2l-484.3-241.2l478.5-243.1l478.5-241.2l5.7-80.4c3.8-45.9,0-82.3-5.7-82.3s-266.1,130.2-576.1,290.9l-564.6,289l5.7,68.9l5.7,67l545.5,283.3c300.5,155,557,283.3,570.4,283.3C4416.2,1910,4425.8,1881.3,4425.8,1833.4z M6167.6,1628.6l555.1-283.3v-70.8v-68.9l-562.7-289c-310.1-158.9-570.4-289-576.1-289s-9.6,36.4-5.7,82.3l5.7,80.4l488.1,241.2l488.1,241.2l-491.9,245l-493.8,245v72.7c0,42.1,9.6,74.6,21,74.6C5604.8,1910,5863.2,1783.6,6167.6,1628.6z M4425.8,24.6v-86.1h-488.1h-488.1v86.1v86.1h488.1h488.1V24.6z M5245,30.4l-5.7-82.3l-157-5.7l-158.9-5.8v88.1v86.1H5088h162.7L5245,30.4z M6052.7,24.6v-88.1l-157,5.8l-158.9,5.7l-5.7,82.3l-5.7,80.4h162.7h164.6V24.6z M4100.4-300.8v-86.1H3775h-325.4v86.1v86.1H3775h325.4V-300.8z M5076.6-300.8v-86.1h-325.4h-325.4v86.1v86.1h325.4h325.4V-300.8z M5899.6-300.8v-86.1h-325.4h-325.4v86.1v86.1h325.4h325.4V-300.8z M6875.8-300.8v-86.1h-325.4H6225v86.1v86.1h325.4h325.4V-300.8z M4253.5-654.9v-76.6h-306.3H3641v76.6v76.6h306.2h306.3V-654.9z M4100.4-951.6v-86.1H3775h-325.4v86.1v86.1H3775h325.4V-951.6z M5076.6-951.6v-86.1h-239.3H4598v86.1v86.1h239.3h239.3V-951.6z M5076.6-1276.9v-86.1h-813.5h-813.5v86.1v86.1h813.5h813.5V-1276.9z M6225-1276.9v-86.1h-325.4h-325.4v86.1v86.1h325.4H6225V-1276.9z M5245-1606.2l5.7-82.3H4265h-987.7v72.7c0,40.2,5.7,80.4,13.4,86.1c5.7,7.7,447.9,11.5,980,9.6l968.5-5.7L5245-1606.2z M6550.4-1602.3v-86.1H6225h-325.4v86.1v86.1H6225h325.4V-1602.3z"/></g></g>
<script type="text/javascript">

2 - Insert something like that into a Test Plan:


Now when an admin or other users will open the link, the XSS will be triggered.

POC Video:


Stored XSS to run malicious javascript. Probably possibility to become admin and use also other api endpoint without permission.


filter file extensions in file upload

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. a year ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back a year ago
Antonio Spataro
a year ago


@admin any update? if it needs some tips on how to avoid the file upload vulnerability I can help him in the process

a year ago


No update but the kiwi team is on the platform. Feel free to reach out to them via other channels (twitter, GH, email)

Antonio Spataro
10 months ago


@admin Could you try to contact the team and see if it is possible to have news? I can't get in touch. In the coming days I would like to analyze the application again if or in any case some other open source framework here on the portal as soon as this vulnerability is resolved, for now I'm dedicating myself to work. I think it's enough to add a strong regex in the name of the uploaded file to solve the problem, and possibly check the type, but if I can't get any feedback from them I can't possibly even help them

Ben Harvie
10 months ago


Hi Antonio, we have exhausted our outreach efforts to the maintainer, we recommend you try to reach out to the maintainer yourself and try to get their attention to this report. Thanks!

kiwitcms/kiwi maintainer validated this vulnerability 9 months ago
Antonio Spataro has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kiwitcms/kiwi maintainer marked this as fixed in 12.1 with commit 6617ce 9 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Apr 15th 2023
get.js#L205 has been validated
Antonio Spataro
9 months ago


@kiwi @kiwitcms mantainer is it possible to obtain the CVE? It's a stored xss that with the right payload allows an attacker to become the administrator

kiwitcms/kiwi maintainer published this vulnerability 8 months ago
to join this conversation