Kiwitcms Kiwi vulnerabilities
10 known vulnerabilities affecting kiwitcms/kiwi.
Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2023-30628P2HIGHCVSS 8.8≤ 12.22023-04-24
CVE-2023-30628 [HIGH] CWE-78 CVE-2023-30628: Kiwi TCMS is an open source test management system. In kiwitcms/Kiwi v12.2 and prior and kiwitcms/en
Kiwi TCMS is an open source test management system. In kiwitcms/Kiwi v12.2 and prior and kiwitcms/enterprise v12.2 and prior,
the `changelog.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref` value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"
nvd
CVE-2023-30613P3CRITICALCVSS 9.0fixed in 12.22023-04-24
CVE-2023-30613 [CRITICAL] CWE-434 CVE-2023-30613: Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans,
Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these
nvd
CVE-2023-25156P3CRITICALCVSS 9.8≥ 12.0, < 12.02023-02-15
CVE-2023-25156 [CRITICAL] CWE-770 CVE-2023-25156: Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 1
Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and configure a rate-limiting proxy in front of Kiwi TCMS.
nvd
CVE-2023-22451P3HIGHCVSS 8.8≤ 11.62023-01-02
CVE-2023-22451 [HIGH] CWE-521 CVE-2023-22451: Kiwi TCMS is an open source test management system. In version 11.6 and prior, when users register n
Kiwi TCMS is an open source test management system. In version 11.6 and prior, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the `AUTH_PASSWORD_VALIDATORS` configuration setting. As of version 11
nvd
CVE-2023-32686P4MEDIUMCVSS 5.4fixed in 12.32023-05-27
CVE-2023-32686 [MEDIUM] CWE-79 CVE-2023-32686: Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded. The upload validation checks were not robust enough wh
nvd
CVE-2023-25171P4MEDIUMCVSS 5.9≥ 12.0, < 12.02023-02-15
CVE-2023-25171 [MEDIUM] CWE-770 CVE-2023-25171: Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 1
Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may strain SMTP resou
nvd
CVE-2023-36809P4MEDIUMCVSS 5.4fixed in 12.52023-07-05
CVE-2023-36809 [MEDIUM] CWE-79 CVE-2023-36809: Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, t
Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing potentially dangerous files when such files are accessed directly. The pre
nvd
CVE-2023-33977P4MEDIUMCVSS 5.4fixed in 12.42023-06-06
CVE-2023-33977 [MEDIUM] CWE-79 CVE-2023-33977: Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross
nvd
CVE-2023-27489P4MEDIUMCVSS 5.4fixed in 12.12023-03-29
CVE-2023-27489 [MEDIUM] CWE-79 CVE-2023-27489: Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to
nvd
CVE-2023-30544P4MEDIUMCVSS 4.3fixed in 12.22023-04-24
CVE-2023-30544 [MEDIUM] CWE-283 CVE-2023-30544: Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users we
Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS
nvd