[CVE-2021-40875] 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

sickcodes · sickcodes · commit 0762c81609ad · 2021-10-04T20:03:04.000Z
diff --git a/advisories/SICK-2021-129.md b/advisories/SICK-2021-129.md
@@ -5,7 +5,9 @@ CVE-2021-40875: Improper Access Control in Gurock TestRail versions 7.2.0.3014 a
 CVE-2021-40875
 
 ### CVSS Score
-Pending
+7.5
+
+CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 
 ### Internal ID
 SICK-2021-129
@@ -20,20 +22,19 @@ TestRail Test Case Management Software
 7.2.0.3014 and below
 
 ### Vulnerability Details
-Improper access control in the installation artifacts of Gurock TestRail versions 7.2.0.3014 allows a remote unauthenticated attacker to view sensitive SQL import files, some of which contain API keys and a full directory listing of files included in the installation, as well as SQL table names.
+Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
 
 ### Vendor Response
 Pending
 
 ### Proof of Concept
 
-
 https://github.com/SakuraSamuraii/derailed
 
 
 ```bash
 #!/bin/bash
-# Author:       sickcodes & 
+# Author:       sickcodes
 # Contact:      https://twitter.com/sickcodes
 # Copyright:    sickcodes (C) 2021
 # License:      GPLv3+
