Gurock TestRail < 3.1.3 XSS

medium Nessus Plugin ID 77302

Synopsis

The remote host is running a test management and quality assurance web application affected by an XSS vulnerability.

Description

According to its self-reported version, the installation of Gurock TestRail running on the remote host is a version prior to 3.1.3. It is, therefore, affected by a cross-site scripting vulnerability due to improper sanitization of the 'Created By' field displayed on the overview page, project summary report, and report filters.

Note that only authenticated users can exploit this vulnerability.

Solution

Upgrade to TestRail 3.1.3 or later.

See Also

http://www.nessus.org/u?8c7ca45c

Plugin Details

Severity: Medium

ID: 77302

File Name: testrail_CVE-2014-4857.nasl

Version: 1.7

Type: remote

Published: 8/21/2014

Updated: 5/28/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2014-4857

Vulnerability Information

CPE: cpe:/a:gurock:testrail

Required KB Items: installed_sw/Gurock TestRail

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 7/22/2014

Vulnerability Publication Date: 7/18/2014

Reference Information

CVE: CVE-2014-4857

BID: 68884

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

CERT: 669804