Mq-Xz

**Name of the Vulnerable Software and Affected Versions** Kiwi TCMS versions prior to 12.5 **Description** The issue is related to the upload of attachments to test plans and test cases in Kiwi TCMS. Earlier versions of Kiwi TCMS had changes to serve all uploaded files as plain text to prevent browsers from executing potentially dangerous files. However, the previous Nginx configuration was incorrect, allowing certain browsers like Firefox to ignore the `Content-Type: text/plain` header on some occasions, thus allowing potentially dangerous scripts to be executed. Additionally, file upload validators and parts of the HTML rendering code required additional sanitation and improvements. The `tree view html()` function also needed sanitization of test plan names. **Recommendations** For versions prior to 12.5, update to version 12.5, which includes an updated Nginx content type configuration, improved file upload validation code, and sanitization of test plan names used in the `tree view html()` function. As a temporary workaround, consider restricting file uploads and access to potentially dangerous files until the update is applied.