Testlink: >> Testlink >> 1.9.19 Security Vulnerabilities
TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-08-26
TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-12-30
Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration.
CVSS Score
8.8
EPSS Score
0.018
Published
2020-03-05
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-02-10
TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-01-20
TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-12-02
TestLink 1.9.19 has XSS via the error.php message parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-01