Shodan
Vulnerabilities
Vulnerable Software
Testlink:  >> Testlink  Security Vulnerabilities
CVE-2024-46097
TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges.
CVSS Score
8.1
EPSS Score
0.0
Published
2024-09-27
CVE-2024-42906
TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-08-26
CVE-2023-50110
TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-12-30
CVE-2022-35196
TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-09-20
CVE-2022-35194
TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-09-16
CVE-2022-35193
TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php.
CVSS Score
7.2
EPSS Score
0.001
Published
2022-09-16
CVE-2022-35195
TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php
CVSS Score
7.2
EPSS Score
0.001
Published
2022-09-16
CVE-2020-12273
In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-04-27
CVE-2020-12274
In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-04-27
CVE-2020-8637
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
CVSS Score
9.8
EPSS Score
0.084
Published
2020-04-03


Products
Pricing
Contact Us

Shodan ® - All rights reserved