CVE-2021-40875
7.5 HIGHImproper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure
Published: 2021-09-22 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-425
Affected products
| Vendor | Product |
|---|---|
| gurock | testrail |
Description
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40875
- [Exploit reference]http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html
- [Other]https://github.com/SakuraSamuraii/derailed
- [Exploit reference]https://johnjhacking.com/blog/cve-2021-40875/
- [Vendor advisory]https://www.gurock.com/testrail/tour/enterprise-edition
- [Exploit reference]http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html
- [Other]https://github.com/SakuraSamuraii/derailed
- [Exploit reference]https://johnjhacking.com/blog/cve-2021-40875/
- [Vendor advisory]https://www.gurock.com/testrail/tour/enterprise-edition
Related CVEs
Same CWE
- CVE-2026-34028 — The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an aut...
- CVE-2026-11986 — A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities (4.9 MEDIUM)
- CVE-2026-8205 — Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView o... (5.3 MEDIUM)
- CVE-2026-7500 — When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled (5.4 MEDIUM)
- CVE-2025-15587 — Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's passwor...