kiwitcms@8.9 vulnerabilities

Test Case Management System

latest version

12.4
first published

5 years ago
latest version published

a year ago
licenses detected
- GPL-2.0
  [0,)
View kiwitcms package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the kiwitcms package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Command Injection kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Command Injection by ignoring the `Content-Type: text/plain` header under certain conditions and insufficiently sanitizing inputs, allowing scripts to be executed. How to fix Command Injection? A fix was pushed into the `master` branch but not yet published.	[0,)
M Improper Authorization kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Improper Authorization allowing users to update their email addresses via the `My profile` admin page without the ownership verification performed during account registration. How to fix Improper Authorization? Upgrade `kiwitcms` to version 12.2 or higher.	[,12.2)
H Cross-site Scripting (XSS) kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, by allowing certain browsers like Firefox to ignore the `Content-Type: text/plain` header on some occasions thus allowing potentially dangerous scripts to be executed. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
H Cross-site Scripting (XSS) kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper file content validation, which might result in stored XSS. Exploiting this vulnerability is possible by uploading a maliciously crafted file. How to fix Cross-site Scripting (XSS)? Upgrade `kiwitcms` to version 12.4 or higher.	[,12.4)
H Cross-site Scripting (XSS) kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unrestricted files upload. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded, see GHSA-fwcf-753v-fgcj and Content-Security-Policy definition to prevent cross-site-scripting attacks, see GHSA-2wcr-87wf-cf9j. The upload validation checks are not robust enough which leave the possibility of an attacker to circumvent them and upload a potentially dangerous file. Exploting this flaw a combination of files could be uploaded so that they work together to circumvent the existing Content-Security-Policy and allow execution of arbitrary JavaScript in the browser. How to fix Cross-site Scripting (XSS)? Upgrade `kiwitcms` to version 12.3 or higher.	[,12.3)
H Arbitrary File Upload kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Arbitrary File Upload such that a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files causing vulnerable browsers to execute malicious code on another computer or attempting XSS attacks. How to fix Arbitrary File Upload? Upgrade `kiwitcms` to version 12.2 or higher.	[,12.2)
H Cross-site Scripting (XSS) kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to accepting SVG files uploaded by users, which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. How to fix Cross-site Scripting (XSS)? Upgrade `kiwitcms` to version 12.1 or higher.	[,12.1)
H Denial of Service (DoS) kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing impose rate limits which makes it easier to attempt brute-force attacks against the login page. How to fix Denial of Service (DoS)? Upgrade `kiwitcms` to version 12.0 or higher.	[,12.0)
M Allocation of Resources Without Limits or Throttling kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the "Password Reset" page, when an attacker could send a large number of valid emails connected to users in Kiwi TCMS. Exploiting this vulnerability is possible due to missing rate limiting. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `kiwitcms` to version 12.0 or higher.	[,12.0)
M Weak Password Requirements kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Weak Password Requirements which allows attackers to more easily guess a weak password after a user has registered a new account or changed passwords. How to fix Weak Password Requirements? Upgrade `kiwitcms` to version 11.7 or higher.	[,11.7)
M Cross-site Scripting (XSS) kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Cross-site Scripting (XSS). HTML input was not cleared when generating history diff. How to fix Cross-site Scripting (XSS)? Upgrade `kiwitcms` to version 11.6 or higher.	[,11.6)
M Cross-site Scripting (XSS) kiwitcms is a Test Case Management System Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via Test Plans, when viewed through the history page. How to fix Cross-site Scripting (XSS)? Upgrade `kiwitcms` to version 11.6 or higher.	[,11.6)

Go back to all versions of this package

kiwitcms@8.9 vulnerabilities

Test Case Management System

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities