CVE-2018-20063

Name of the Vulnerable Software and Affected Versions Gurock TestRail version 5.6.0.3853

Description An issue exists in the image-upload form, available in the description editor, allowing remote authenticated users to execute arbitrary code by uploading an image file with an executable extension but a safe Content-Type value, and then accessing it via a direct request to the file in the file-upload directory.

Recommendations For Gurock TestRail version 5.6.0.3853, consider restricting access to the image-upload form in the description editor to minimize the risk of exploitation. As a temporary workaround, restrict access to the file-upload directory according to the server configuration to prevent direct requests to uploaded files.