Headline
CVE-2023-30544: Kiwi TCMS 12.2
Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the My profile admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist.
We’re happy to announce Kiwi TCMS version 12.2!
IMPORTANT: this release contains security related updates, general improvements, bug fixes, some API changes and new translations!
You can explore everything at https://public.tenant.kiwitcms.org!
Supported upgrade paths:
5.3 (or older) -> 5.3.1 5.3.1 (or newer) -> 6.0.1 6.0.1 -> 6.1 6.1 -> 6.1.1 6.1.1 -> 6.2 (or newer)
—
Upstream container images (x86_64):
kiwitcms/kiwi latest 89b8ca5e0f5f 593MB
IMPORTANT: version tagged and multi-arch container images are available only to subscribers!
Changes since Kiwi TCMS 12.1
Security
- For security reasons updating email address is no longer allowed. Fixes CVE-2023-30544
- Block uploads of potentially harmful files. Fixes CVE-2023-30613
Improvements
- Update Django from 4.1.7 to 4.1.8
- Update django-attachments from 1.9.1 to 1.11
- Update psycopg2 from 2.9.5 to 2.9.6
- Update pygments from 2.14.0 to 2.15.1
- Update python-gitlab from 3.13.0 to 3.14.0
- Add INFO message for User/Group pages in Admin panel which indicates whether the user is viewing records from the main tenant or from an individual tenant to avoid confusion
- Add new Execution Dashboard telemetry report. Closes Issue #2918
- Add column visibility button on search pages. Fixes Issue #3149
- Add CSV, Excel, PDF and Print buttons on search pages. Fixes Issue #3150
- Allow manually resetting TestRun.stop_date when editing page. Refs Issue #3124
- Display child test plans on Search Test Plans page. Fixes Issue #2917
- Display nested test plans in drop down select widget on Search Test Cases page. Fixes Issue #3134
- Display nested test plans in drop down select widget on Telemetry pages
- Display pagination controls for search results both at the top and bottom
- On Search Test Runs page display start/stop timestamp columns. Closes Issue #2306
- On Search Test Cases page display results from child test plans. Fixes Issue #3135
API
- TestExecution.update() method will no longer update self.stop_date and self.run.stop_date fields when status has been changed! The appropriate behavior here should be specified by the client calling this API method. Refs Issue #3112
- TestPlan.filter() method now returns the children_count field. Refs Issue #3134, Issue #2917
- TestExecution.filter() method now returns status__icon & status__color fields
Bug fixes
- Fix test case filter widget on Test Plan page. Fixes Issue #3137
- Disable selection of inactive test plans on New Test Run page. Fixes Issue #3152
- Add styled page for attachment upload errors. Fixes Issue #1156
- Fix include syntax for uwsgi.override in uwsgi.conf
Refactoring
- Add additional query parameters for updateTestPlanSelectFromProduct()
- Add preProcessData callback to updateTestPlanSelectFromProduct()
- Remove unused telemetry.css file
- Remove unused parameter from updateTestPlanSelectFromProduct()
- Replace hand-crafted pagination controls with the ones built into DataTables
- Replace useless form_errors_to_list() function
- Skip RobotFramework tests on aarch64 b/c of Selenium error, tested on x86_64
- Update node_modules/webpack from 5.76.3 to 5.80.0
- Update node_modules/eslint from 8.37.0 to 8.38.0
Kiwi TCMS Enterprise v12.2-mt
Based on Kiwi TCMS v12.2
Update social-auth-app-django from 5.0.0 to 5.2.0
Private images:
quay.io/kiwitcms/version 12.2 (aarch64) 7e88241f7476 23 Apr 2023 601MB quay.io/kiwitcms/version 12.2 (x86_64) 89b8ca5e0f5f 23 Apr 2023 592MB quay.io/kiwitcms/enterprise 12.2-mt (aarch64) 7f2a05cf9888 23 Apr 2023 843MB quay.io/kiwitcms/enterprise 12.2-mt (x86_64) c4f518a20c58 23 Apr 2023 833MB
IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!
Related news
### Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. In earlier versions there is no control over what kinds of files can be uploaded. Thus a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files causing vulnerable browsers to execute malicious code on another computer or attempting XSS attacks. Stored XSS attacks via file uploads have been fixed in earlier versions of Kiwi TCMS, see [GHSA-2wcr-87wf-cf9j](https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j). This advisory deals with prohibiting users to upload potentially compromised files in the first place. ### Patches Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their t...
Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading.
### Impact In previous versions of Kiwi TCMS users were able to update their email addresses via the "My profile" admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. ### Patches With Kiwi TCMS v12.2 or later it is not possible to edit the email field associated with a user account! ### Workarounds No workaround exists. ### References Disclosed by [@novemberdad](https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/).