TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.
Max CVSS
7.5
EPSS Score
0.05%
Published
2023-12-30
Updated
2024-01-05
TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.
Max CVSS
8.8
EPSS Score
0.11%
Published
2022-09-20
Updated
2022-09-21
TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php
Max CVSS
7.2
EPSS Score
0.08%
Published
2022-09-16
Updated
2022-09-17
TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php.
Max CVSS
5.4
EPSS Score
0.05%
Published
2022-09-16
Updated
2022-09-21
TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php.
Max CVSS
7.2
EPSS Score
0.08%
Published
2022-09-16
Updated
2022-09-17
In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session.
Max CVSS
9.8
EPSS Score
0.24%
Published
2020-04-27
Updated
2021-07-21
In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials.
Max CVSS
7.5
EPSS Score
0.31%
Published
2020-04-27
Updated
2021-07-21
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.
Max CVSS
8.8
EPSS Score
0.17%
Published
2020-02-10
Updated
2020-02-12
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application.
Max CVSS
8.8
EPSS Score
2.78%
Published
2020-04-03
Updated
2021-02-22
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter.
Max CVSS
9.8
EPSS Score
0.24%
Published
2020-04-03
Updated
2020-04-06
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
Max CVSS
9.8
EPSS Score
0.24%
Published
2020-04-03
Updated
2020-04-06
TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491.
Max CVSS
6.1
EPSS Score
0.08%
Published
2020-01-20
Updated
2020-01-24
Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration.
Max CVSS
8.8
EPSS Score
0.50%
Published
2020-03-05
Updated
2020-03-07
TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request.
Max CVSS
6.1
EPSS Score
0.15%
Published
2019-12-02
Updated
2019-12-04
TestLink 1.9.19 has XSS via the error.php message parameter.
Max CVSS
6.1
EPSS Score
0.09%
Published
2019-08-01
Updated
2019-08-02
TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php.
Max CVSS
7.5
EPSS Score
0.57%
Published
2018-03-05
Updated
2018-03-27
install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.
Max CVSS
7.5
EPSS Score
75.40%
Published
2018-02-25
Updated
2019-03-05
Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date parameter to lib/results/tcCreatedPerUserOnTestProject.php; the (3) containerType parameter to lib/testcases/containerEdit.php; the (4) filter_tc_id or (5) filter_testcase_name parameter to lib/testcases/listTestCases.php; the (6) useRecursion parameter to lib/testcases/tcImport.php; the (7) targetTestCase or (8) created_by parameter to lib/testcases/tcSearch.php; or the (9) HTTP Referer header to third_party/user_contribution/fakeRemoteExecServer/client4fakeXMLRPCTestRunner.php.
Max CVSS
6.1
EPSS Score
0.12%
Published
2017-09-26
Updated
2018-10-09
SQL injection vulnerability in TestLink before 1.9.14 allows remote attackers to execute arbitrary SQL commands via the apikey parameter to lnl.php.
Max CVSS
9.8
EPSS Score
0.15%
Published
2017-09-26
Updated
2019-03-11
lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message.
Max CVSS
5.0
EPSS Score
0.99%
Published
2014-10-31
Updated
2018-10-09
lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter.
Max CVSS
7.5
EPSS Score
3.68%
Published
2014-10-31
Updated
2018-10-09
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php.
Max CVSS
9.0
EPSS Score
0.18%
Published
2014-10-08
Updated
2014-10-09
Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier allow remote authenticated users with the Requirement view permission to execute arbitrary SQL commands via the req_spec_id parameter to (1) reqSpecAnalyse.php, (2) reqSpecPrint.php, or (3) reqSpecView.php in requirements/. NOTE: some of these details are obtained from third party information.
Max CVSS
6.5
EPSS Score
0.32%
Published
2014-08-14
Updated
2017-08-29

CVE-2012-0938

Public exploit
Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter in the display_children function to (1) getrequirementnodes.php or (2) gettprojectnodes.php in lib/ajax/; the (3) cfield_id parameter in an edit action to lib/cfields/cfieldsEdit.php; the (4) id parameter in an edit action or (5) plan_id parameter in a create action to lib/plan/planMilestonesEdit.php; or the req_spec_id parameter to (6) reqImport.php or (7) in a create action to reqEdit.php in lib/requirements/. NOTE: some of these details are obtained from third party information.
Max CVSS
6.5
EPSS Score
0.81%
Published
2014-08-14
Updated
2017-08-29
TestLink before 1.7.1 does not enforce an unspecified authorization mechanism, which has unknown impact and attack vectors.
Max CVSS
10.0
EPSS Score
0.34%
Published
2007-11-15
Updated
2008-11-15
25 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!