CVE-2021-44263 Cross-Site Scripting in Gurock TestRail

1. Vulnerability Properties

Title: Reflected Cross-Site Scripting in Gurock TestRail
CVE ID: CVE-2021-44263
CVSSv3 Base Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Vendor: Gurock
Products: TestRail
Advisory Release Date: 17-02-2022
Advisory URL: https://labs.integrity.pt/advisories/cve-2021-44263
Credits: Discovery by Marco Vieira <msv[at]integrity.pt>

2. Vulnerability Summary

TestRail fails to sanitize an input before rendering the dashboard leading to a reflected XSS.

3. Vulnerable Versions

  • < 7.2.4

4. Solution

  • Update to version 7.2.5 or higher

5. Vulnerability Timeline

  • 23/Nov/21  - Bug reported to Gurock
  • 25/Nov/21 - Bug verified by vendor
  • 17/Feb/22 - Advisory released

6. References

  • https://www.gurock.com/testrail/
  • https://discuss.gurock.com/t/testrail-7-2-4-released-to-cloud/20248


© 2022 Integrity Part of Devoteam. All rights reserved.