PyPI package
kiwitcms
pkg:pypi/kiwitcms
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-36809 | — | < 12.5 | 12.5 | Jul 5, 2023 | Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing po | ||
| CVE-2023-33977 | — | < 12.4 | 12.4 | Jun 6, 2023 | Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files fr | ||
| CVE-2023-32686 | — | < 12.3 | 12.3 | May 27, 2023 | Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files fr | ||
| CVE-2023-30613 | — | < 12.2 | 12.2 | Apr 24, 2023 | Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file c | ||
| CVE-2023-30544 | — | < 12.2 | 12.2 | Apr 24, 2023 | Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership veri | ||
| CVE-2023-27489 | — | < 12.1 | 12.1 | Mar 29, 2023 | Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code coul | ||
| CVE-2023-25171 | — | < 12.0 | 12.0 | Feb 15, 2023 | Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email a | ||
| CVE-2023-25156 | — | < 12.0 | 12.0 | Feb 15, 2023 | Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and c | ||
| CVE-2022-4105 | — | < 11.6 | 11.6 | Nov 21, 2022 | A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack (clickjacking) and an HTML injection which disables the use of the history page. |
- CVE-2023-36809Jul 5, 2023affected < 12.5fixed 12.5
Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing po
- CVE-2023-33977Jun 6, 2023affected < 12.4fixed 12.4
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files fr
- CVE-2023-32686May 27, 2023affected < 12.3fixed 12.3
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files fr
- CVE-2023-30613Apr 24, 2023affected < 12.2fixed 12.2
Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file c
- CVE-2023-30544Apr 24, 2023affected < 12.2fixed 12.2
Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership veri
- CVE-2023-27489Mar 29, 2023affected < 12.1fixed 12.1
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code coul
- CVE-2023-25171Feb 15, 2023affected < 12.0fixed 12.0
Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email a
- CVE-2023-25156Feb 15, 2023affected < 12.0fixed 12.0
Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and c
- CVE-2022-4105Nov 21, 2022affected < 11.6fixed 11.6
A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack (clickjacking) and an HTML injection which disables the use of the history page.