CVE-2023-30613: 
Python vulnerability analysis and mitigation

CVE-2023-30613 affects Kiwi TCMS, an open source test management system, in versions prior to 12.2. The vulnerability was discovered and disclosed in April 2023, allowing users to upload attachments to test plans and test cases without proper file type restrictions (GitHub Advisory).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 9.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). The issue stems from the lack of control over file upload types, allowing malicious actors to upload potentially dangerous files such as .exe files or files containing embedded JavaScript (NVD).

The vulnerability could allow attackers to upload malicious files and trick users into executing them, potentially leading to the execution of malicious code on other computers. Additionally, files containing embedded JavaScript could be used for cross-site scripting (XSS) attacks (GitHub Advisory).

The vulnerability has been patched in Kiwi TCMS version 12.2, which introduces functionality allowing administrators to configure additional upload validator functions for controlling accepted file types. By default, .exe files are denied, and files containing potentially malicious tags are blocked. The only recommended workaround is to upgrade to version 12.2 or later (Kiwi Blog).