3 matches found
OS Command Injection
kiwitcms is vulnerable to OS Command Injection. The vulnerability exists because the github.headref key in changelog.yml does not properly check the workflow, which allows an attacker to gain write access to file configurations...
CVE-2023-30628 Kiwi TCMS has command injection vulnerability in changelog.yml CI workflow
Kiwi TCMS is an open source test management system. In kiwitcms/Kiwi v12.2 and prior and kiwitcms/enterprise v12.2 and prior, the changelog.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an attacker-controlle...
CVE-2023-30628
Kiwi TCMS (Kiwi/Kiw i) versions 12.2 and earlier, including kiwitcms/Kiwi and kiwitcms/enterprise, are affected by a command-injection vulnerability in the changelog.yml CI workflow. The issue arises from using an attacker-controlled untrusted github.head_ref field, which can be assigned to a cra...