Kiwi TCMS may allow user to update email address to unverified one

Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. Operators of Kiwi TCMS should upgrade to v12.2 or later to receive a patch. No known workarounds exist.

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

未经验证的属主

Kiwi TCMS 安全漏洞

Kiwi TCMS是Kiwi TCMS开源的一个用于手动和自动测试的领先开源测试管理系统。 Kiwi TCMS 12.2之前版本存在安全漏洞，该漏洞源于允许用户通过My profile页面更改电子邮件按地址而无需执行权限验证。

N/A

N/A