Stored XSS in kiwitcms/kiwi


Reported on

Jun 24th 2023


The application contains a stored XSS vulnerability, which allows an attacker to inject and execute malicious scripts within the application. The vulnerability occurs due to improper input validation and output encoding mechanisms, which fail to adequately sanitize and encode user-generated content.

Proof of Concept:

1- Create a new test plan (e.g., "plan1") as a parent plan within the application.

2- Create another test plan (e.g., "plan2"), specifically for uploading a payload. Utilize the "Attachments" feature of "plan2" to upload a file containing an XSS payload. Upon successful upload, a path will be generated for the uploaded file (e.g., "http://localhost/uploads/attachments/testplans_testplan/2/xss.j"). Make sure to copy this path for later use.

3- Create a new test (e.g., "plan3") with the following name: <script src=/uploads/attachments/testplans_testplan/2/xss.js"></script>. Additionally, specify the parent ID of "plan3" as the ID of "plan1" and save the test.

4- Access the URL of "plan1" or "plan3" within the application.

5- As a result of the vulnerability, the XSS payload injected through the test name will be executed within the application, potentially leading to malicious actions.

POC video:


Stored XSS (Cross-Site Scripting) vulnerability can have significant impacts on the security of a web application. In simple terms, it allows attackers to inject malicious code into the application's storage, which then gets displayed to other users visiting the affected page. This can lead to various harmful consequences, such as the execution of unauthorized actions on behalf of the user, stealing sensitive information like login credentials or personal data, manipulating website content, or even spreading phishing attacks. Essentially, it puts users at risk of having their browsers execute malicious scripts without their knowledge or consent, making it crucial to address this vulnerability promptly to ensure the safety of users and protect the integrity of the application.

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. 5 months ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back 5 months ago
Alexander Todorov validated this vulnerability 5 months ago
Mahshooq Zubair has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
5 months ago


CVE number and additional details will be available at

Alexander Todorov marked this as fixed in 12.5 with commit 195ea5 5 months ago
Alexander Todorov has been awarded the fix bounty
This vulnerability will not receive a CVE
Alexander Todorov published this vulnerability 5 months ago
to join this conversation