Vulnerability Summary: Title: Stored XSS Via SVG Upload in kiwitcms/kiwi Type: CWE-79: Cross-site Scripting (XSS) - Stored Severity: High (8.1) CWE: 79 CVSS Score: 8.1 Vulnerability Type: Stored XSS via SVG Upload Reported on: May 24, 2023 Description: Researchers found a Stored XSS vulnerability by uploading an SVG file with specific content. The Proof of Concept is available in a Google Drive link. Impact: Stored XSS can lead to data theft, account compromise, and distribution of malware. It allows attackers to inject malicious scripts into a website, steal sensitive information, hijack user sessions, deface websites, manipulate content, cause reputational damage, and launch phishing attacks. Affected Version: 12.3 References: https://huntr.dev/bounties/19470f0b-7094-4339-8d4a-4b5570b54716/ Process Summary: M Nadeem Qazi found and reported the vulnerability. Alexander Todorov validated the vulnerability and provided a fix in version 12.4. The researcher was awarded both disclosure and fix bounties. The vulnerability was assigned CVE-2023-33977 via GitHub.