Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
56 vulnerabilities found for testlink by testlink
CVE-2021-47760 (GCVE-0-2021-47760)
Vulnerability from nvd – Published: 2026-01-15 15:52 – Updated: 2026-01-22 20:42
VLAI?
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as a duplicate.
Replaced by CVE-2021-42220
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-01-22T20:42:51.435Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as a duplicate."
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as a duplicate."
}
],
"replacedBy": [
"CVE-2021-42220"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47760",
"datePublished": "2026-01-15T15:52:06.479Z",
"dateRejected": "2026-01-22T20:42:51.435Z",
"dateReserved": "2026-01-14T14:39:44.734Z",
"dateUpdated": "2026-01-22T20:42:51.435Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-46097 (GCVE-0-2024-46097)
Vulnerability from nvd – Published: 2024-09-27 00:00 – Updated: 2024-09-27 19:42
VLAI?
Summary
TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges.
Severity ?
8.1 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:testlink:testlink:1.9.20:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "testlink",
"vendor": "testlink",
"versions": [
{
"status": "affected",
"version": "1.9.20"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-46097",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T19:17:04.030265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T19:42:29.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user\u0027s permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:16:33.979Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Alkatraz97/CVEs/blob/main/CVE-2024-46097.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-46097",
"datePublished": "2024-09-27T00:00:00.000Z",
"dateReserved": "2024-09-11T00:00:00.000Z",
"dateUpdated": "2024-09-27T19:42:29.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42906 (GCVE-0-2024-42906)
Vulnerability from nvd – Published: 2024-08-26 00:00 – Updated: 2024-08-26 20:48
VLAI?
Summary
TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.
Severity ?
4.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jenkins:testlink:*:*:*:*:*:jenkins:*:*"
],
"defaultStatus": "unknown",
"product": "testlink",
"vendor": "jenkins",
"versions": [
{
"lessThan": "v.1.9.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42906",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T20:23:38.123295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T20:48:33.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T19:26:47.558Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://testlink.org/"
},
{
"url": "https://github.com/Alkatraz97/CVEs/blob/main/CVE-2024-42906.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42906",
"datePublished": "2024-08-26T00:00:00.000Z",
"dateReserved": "2024-08-05T00:00:00.000Z",
"dateUpdated": "2024-08-26T20:48:33.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50110 (GCVE-0-2023-50110)
Vulnerability from nvd – Published: 2023-12-30 00:00 – Updated: 2024-08-02 22:09
VLAI?
Summary
TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/357"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-30T16:27:53.450Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/357"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-50110",
"datePublished": "2023-12-30T00:00:00.000Z",
"dateReserved": "2023-12-04T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:09:49.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35196 (GCVE-0-2022-35196)
Vulnerability from nvd – Published: 2022-09-20 15:52 – Updated: 2025-05-29 13:37
VLAI?
Summary
TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35196"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-35196",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T13:37:16.265609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T13:37:48.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-20T15:52:42.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35196"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35196",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35196",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35196"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35196",
"datePublished": "2022-09-20T15:52:42.000Z",
"dateReserved": "2022-07-04T00:00:00.000Z",
"dateUpdated": "2025-05-29T13:37:48.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35194 (GCVE-0-2022-35194)
Vulnerability from nvd – Published: 2022-09-16 20:30 – Updated: 2024-08-03 09:29
VLAI?
Summary
TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35194"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T20:30:27.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35194"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35194",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35194",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35194"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35194",
"datePublished": "2022-09-16T20:30:27.000Z",
"dateReserved": "2022-07-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:29:17.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35195 (GCVE-0-2022-35195)
Vulnerability from nvd – Published: 2022-09-16 15:36 – Updated: 2024-08-03 09:29
VLAI?
Summary
TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35195"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T15:36:53.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35195"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35195",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35195",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35195"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35195",
"datePublished": "2022-09-16T15:36:53.000Z",
"dateReserved": "2022-07-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:29:17.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35193 (GCVE-0-2022-35193)
Vulnerability from nvd – Published: 2022-09-16 15:59 – Updated: 2024-08-03 09:29
VLAI?
Summary
TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35193"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T15:59:19.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35193"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35193",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35193",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35193"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35193",
"datePublished": "2022-09-16T15:59:19.000Z",
"dateReserved": "2022-07-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:29:17.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12274 (GCVE-0-2020-12274)
Vulnerability from nvd – Published: 2020-04-27 12:34 – Updated: 2024-08-04 11:48
VLAI?
Summary
In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.514Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2d17cd00f981f8e8c97de34a12e368ba2a55e3d0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mantis.testlink.org/view.php?id=8894"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-27T12:34:54.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2d17cd00f981f8e8c97de34a12e368ba2a55e3d0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mantis.testlink.org/view.php?id=8894"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12274",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2d17cd00f981f8e8c97de34a12e368ba2a55e3d0",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2d17cd00f981f8e8c97de34a12e368ba2a55e3d0"
},
{
"name": "http://mantis.testlink.org/view.php?id=8894",
"refsource": "MISC",
"url": "http://mantis.testlink.org/view.php?id=8894"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12274",
"datePublished": "2020-04-27T12:34:54.000Z",
"dateReserved": "2020-04-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:48:58.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12273 (GCVE-0-2020-12273)
Vulnerability from nvd – Published: 2020-04-27 12:35 – Updated: 2024-08-04 11:48
VLAI?
Summary
In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mantis.testlink.org/view.php?id=8895"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/72271ef057e6e4a95c6128973902ea646f7b5462"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-27T12:35:07.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mantis.testlink.org/view.php?id=8895"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/72271ef057e6e4a95c6128973902ea646f7b5462"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12273",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://mantis.testlink.org/view.php?id=8895",
"refsource": "MISC",
"url": "http://mantis.testlink.org/view.php?id=8895"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/72271ef057e6e4a95c6128973902ea646f7b5462",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/72271ef057e6e4a95c6128973902ea646f7b5462"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12273",
"datePublished": "2020-04-27T12:35:07.000Z",
"dateReserved": "2020-04-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:48:58.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8639 (GCVE-0-2020-8639)
Vulnerability from nvd – Published: 2020-04-03 18:36 – Updated: 2024-08-04 10:03
VLAI?
Summary
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Date Public ?
2020-04-03 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-15T17:06:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8639",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/",
"refsource": "MISC",
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d",
"refsource": "CONFIRM",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d"
},
{
"name": "http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8639",
"datePublished": "2020-04-03T18:36:44.000Z",
"dateReserved": "2020-02-05T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:03:46.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8638 (GCVE-0-2020-8638)
Vulnerability from nvd – Published: 2020-04-03 18:36 – Updated: 2024-08-04 10:03
VLAI?
Summary
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Date Public ?
2020-04-03 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.374Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/58f3cc03d5f81cd5cc2ad8c7ba645cc486cebc05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-03T18:36:41.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/58f3cc03d5f81cd5cc2ad8c7ba645cc486cebc05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8638",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/",
"refsource": "MISC",
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/58f3cc03d5f81cd5cc2ad8c7ba645cc486cebc05",
"refsource": "CONFIRM",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/58f3cc03d5f81cd5cc2ad8c7ba645cc486cebc05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8638",
"datePublished": "2020-04-03T18:36:41.000Z",
"dateReserved": "2020-02-05T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:03:46.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8637 (GCVE-0-2020-8637)
Vulnerability from nvd – Published: 2020-04-03 18:36 – Updated: 2024-08-04 10:03
VLAI?
Summary
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Date Public ?
2020-04-03 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-03T18:36:38.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8637",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/",
"refsource": "MISC",
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343",
"refsource": "CONFIRM",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8637",
"datePublished": "2020-04-03T18:36:38.000Z",
"dateReserved": "2020-02-05T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:03:46.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20107 (GCVE-0-2019-20107)
Vulnerability from nvd – Published: 2020-03-05 12:50 – Updated: 2024-08-05 02:32
VLAI?
Summary
Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mantis.testlink.org/view.php?id=8829"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/TLOpenSource/status/1212394020946751489"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/e2d88c9d7f8e02640ba65e5ff74b55d0399a53d0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/7647a7b53ceab31524cfcfb3beb8435af0a30fc1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d27690c6cb7708a6db0701b6428381d32d51495a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/942c406fcee5d376235a264cb8a79300a0002d20"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/146b4f38010a48c36b7d9650060ca354c92ab4ac"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/bcf7b971b5c88ea08d2dc47685f319be3b02cea8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mantis.testlink.org/view.php?id=8829#c29360"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-05T15:12:27.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mantis.testlink.org/view.php?id=8829"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/TLOpenSource/status/1212394020946751489"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/e2d88c9d7f8e02640ba65e5ff74b55d0399a53d0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/7647a7b53ceab31524cfcfb3beb8435af0a30fc1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d27690c6cb7708a6db0701b6428381d32d51495a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/942c406fcee5d376235a264cb8a79300a0002d20"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/146b4f38010a48c36b7d9650060ca354c92ab4ac"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/bcf7b971b5c88ea08d2dc47685f319be3b02cea8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mantis.testlink.org/view.php?id=8829#c29360"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20107",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://mantis.testlink.org/view.php?id=8829",
"refsource": "MISC",
"url": "http://mantis.testlink.org/view.php?id=8829"
},
{
"name": "https://twitter.com/TLOpenSource/status/1212394020946751489",
"refsource": "MISC",
"url": "https://twitter.com/TLOpenSource/status/1212394020946751489"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/e2d88c9d7f8e02640ba65e5ff74b55d0399a53d0",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/e2d88c9d7f8e02640ba65e5ff74b55d0399a53d0"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/7647a7b53ceab31524cfcfb3beb8435af0a30fc1",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/7647a7b53ceab31524cfcfb3beb8435af0a30fc1"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d27690c6cb7708a6db0701b6428381d32d51495a",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d27690c6cb7708a6db0701b6428381d32d51495a"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/942c406fcee5d376235a264cb8a79300a0002d20",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/942c406fcee5d376235a264cb8a79300a0002d20"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/146b4f38010a48c36b7d9650060ca354c92ab4ac",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/146b4f38010a48c36b7d9650060ca354c92ab4ac"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/bcf7b971b5c88ea08d2dc47685f319be3b02cea8",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/bcf7b971b5c88ea08d2dc47685f319be3b02cea8"
},
{
"name": "http://mantis.testlink.org/view.php?id=8829#c29360",
"refsource": "MISC",
"url": "http://mantis.testlink.org/view.php?id=8829#c29360"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20107",
"datePublished": "2020-03-05T12:50:19.000Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-08-05T02:32:10.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8841 (GCVE-0-2020-8841)
Vulnerability from nvd – Published: 2020-02-10 20:24 – Updated: 2024-08-04 10:12
VLAI?
Summary
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ver007/testlink-1.9.19-sqlinject"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-10T20:24:45.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ver007/testlink-1.9.19-sqlinject"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8841",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239"
},
{
"name": "https://github.com/ver007/testlink-1.9.19-sqlinject",
"refsource": "MISC",
"url": "https://github.com/ver007/testlink-1.9.19-sqlinject"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8841",
"datePublished": "2020-02-10T20:24:45.000Z",
"dateReserved": "2020-02-10T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:12:10.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47760 (GCVE-0-2021-47760)
Vulnerability from cvelistv5 – Published: 2026-01-15 15:52 – Updated: 2026-01-22 20:42
VLAI?
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as a duplicate.
Replaced by CVE-2021-42220
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-01-22T20:42:51.435Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as a duplicate."
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as a duplicate."
}
],
"replacedBy": [
"CVE-2021-42220"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47760",
"datePublished": "2026-01-15T15:52:06.479Z",
"dateRejected": "2026-01-22T20:42:51.435Z",
"dateReserved": "2026-01-14T14:39:44.734Z",
"dateUpdated": "2026-01-22T20:42:51.435Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-46097 (GCVE-0-2024-46097)
Vulnerability from cvelistv5 – Published: 2024-09-27 00:00 – Updated: 2024-09-27 19:42
VLAI?
Summary
TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges.
Severity ?
8.1 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:testlink:testlink:1.9.20:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "testlink",
"vendor": "testlink",
"versions": [
{
"status": "affected",
"version": "1.9.20"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-46097",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T19:17:04.030265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T19:42:29.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user\u0027s permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:16:33.979Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Alkatraz97/CVEs/blob/main/CVE-2024-46097.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-46097",
"datePublished": "2024-09-27T00:00:00.000Z",
"dateReserved": "2024-09-11T00:00:00.000Z",
"dateUpdated": "2024-09-27T19:42:29.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42906 (GCVE-0-2024-42906)
Vulnerability from cvelistv5 – Published: 2024-08-26 00:00 – Updated: 2024-08-26 20:48
VLAI?
Summary
TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.
Severity ?
4.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jenkins:testlink:*:*:*:*:*:jenkins:*:*"
],
"defaultStatus": "unknown",
"product": "testlink",
"vendor": "jenkins",
"versions": [
{
"lessThan": "v.1.9.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42906",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T20:23:38.123295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T20:48:33.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T19:26:47.558Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://testlink.org/"
},
{
"url": "https://github.com/Alkatraz97/CVEs/blob/main/CVE-2024-42906.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42906",
"datePublished": "2024-08-26T00:00:00.000Z",
"dateReserved": "2024-08-05T00:00:00.000Z",
"dateUpdated": "2024-08-26T20:48:33.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50110 (GCVE-0-2023-50110)
Vulnerability from cvelistv5 – Published: 2023-12-30 00:00 – Updated: 2024-08-02 22:09
VLAI?
Summary
TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/357"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-30T16:27:53.450Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/357"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-50110",
"datePublished": "2023-12-30T00:00:00.000Z",
"dateReserved": "2023-12-04T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:09:49.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35196 (GCVE-0-2022-35196)
Vulnerability from cvelistv5 – Published: 2022-09-20 15:52 – Updated: 2025-05-29 13:37
VLAI?
Summary
TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35196"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-35196",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T13:37:16.265609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T13:37:48.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-20T15:52:42.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35196"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35196",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35196",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35196"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35196",
"datePublished": "2022-09-20T15:52:42.000Z",
"dateReserved": "2022-07-04T00:00:00.000Z",
"dateUpdated": "2025-05-29T13:37:48.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35194 (GCVE-0-2022-35194)
Vulnerability from cvelistv5 – Published: 2022-09-16 20:30 – Updated: 2024-08-03 09:29
VLAI?
Summary
TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35194"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T20:30:27.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35194"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35194",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35194",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35194"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35194",
"datePublished": "2022-09-16T20:30:27.000Z",
"dateReserved": "2022-07-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:29:17.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35193 (GCVE-0-2022-35193)
Vulnerability from cvelistv5 – Published: 2022-09-16 15:59 – Updated: 2024-08-03 09:29
VLAI?
Summary
TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35193"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T15:59:19.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35193"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35193",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35193",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35193"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35193",
"datePublished": "2022-09-16T15:59:19.000Z",
"dateReserved": "2022-07-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:29:17.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35195 (GCVE-0-2022-35195)
Vulnerability from cvelistv5 – Published: 2022-09-16 15:36 – Updated: 2024-08-03 09:29
VLAI?
Summary
TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35195"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T15:36:53.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35195"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35195",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/"
},
{
"name": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35195",
"refsource": "MISC",
"url": "https://github.com/HuangYuHsiangPhone/CVEs/tree/main/TestLink/CVE-2022-35195"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35195",
"datePublished": "2022-09-16T15:36:53.000Z",
"dateReserved": "2022-07-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:29:17.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12273 (GCVE-0-2020-12273)
Vulnerability from cvelistv5 – Published: 2020-04-27 12:35 – Updated: 2024-08-04 11:48
VLAI?
Summary
In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mantis.testlink.org/view.php?id=8895"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/72271ef057e6e4a95c6128973902ea646f7b5462"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-27T12:35:07.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mantis.testlink.org/view.php?id=8895"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/72271ef057e6e4a95c6128973902ea646f7b5462"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12273",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://mantis.testlink.org/view.php?id=8895",
"refsource": "MISC",
"url": "http://mantis.testlink.org/view.php?id=8895"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/72271ef057e6e4a95c6128973902ea646f7b5462",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/72271ef057e6e4a95c6128973902ea646f7b5462"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12273",
"datePublished": "2020-04-27T12:35:07.000Z",
"dateReserved": "2020-04-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:48:58.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12274 (GCVE-0-2020-12274)
Vulnerability from cvelistv5 – Published: 2020-04-27 12:34 – Updated: 2024-08-04 11:48
VLAI?
Summary
In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.514Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2d17cd00f981f8e8c97de34a12e368ba2a55e3d0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mantis.testlink.org/view.php?id=8894"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-27T12:34:54.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2d17cd00f981f8e8c97de34a12e368ba2a55e3d0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mantis.testlink.org/view.php?id=8894"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12274",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2d17cd00f981f8e8c97de34a12e368ba2a55e3d0",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2d17cd00f981f8e8c97de34a12e368ba2a55e3d0"
},
{
"name": "http://mantis.testlink.org/view.php?id=8894",
"refsource": "MISC",
"url": "http://mantis.testlink.org/view.php?id=8894"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12274",
"datePublished": "2020-04-27T12:34:54.000Z",
"dateReserved": "2020-04-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:48:58.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8639 (GCVE-0-2020-8639)
Vulnerability from cvelistv5 – Published: 2020-04-03 18:36 – Updated: 2024-08-04 10:03
VLAI?
Summary
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Date Public ?
2020-04-03 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-15T17:06:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8639",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/",
"refsource": "MISC",
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d",
"refsource": "CONFIRM",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d"
},
{
"name": "http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8639",
"datePublished": "2020-04-03T18:36:44.000Z",
"dateReserved": "2020-02-05T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:03:46.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8638 (GCVE-0-2020-8638)
Vulnerability from cvelistv5 – Published: 2020-04-03 18:36 – Updated: 2024-08-04 10:03
VLAI?
Summary
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Date Public ?
2020-04-03 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.374Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/58f3cc03d5f81cd5cc2ad8c7ba645cc486cebc05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-03T18:36:41.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/58f3cc03d5f81cd5cc2ad8c7ba645cc486cebc05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8638",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/",
"refsource": "MISC",
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/58f3cc03d5f81cd5cc2ad8c7ba645cc486cebc05",
"refsource": "CONFIRM",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/58f3cc03d5f81cd5cc2ad8c7ba645cc486cebc05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8638",
"datePublished": "2020-04-03T18:36:41.000Z",
"dateReserved": "2020-02-05T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:03:46.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8637 (GCVE-0-2020-8637)
Vulnerability from cvelistv5 – Published: 2020-04-03 18:36 – Updated: 2024-08-04 10:03
VLAI?
Summary
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Date Public ?
2020-04-03 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-03T18:36:38.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8637",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/",
"refsource": "MISC",
"url": "https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343",
"refsource": "CONFIRM",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8637",
"datePublished": "2020-04-03T18:36:38.000Z",
"dateReserved": "2020-02-05T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:03:46.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20107 (GCVE-0-2019-20107)
Vulnerability from cvelistv5 – Published: 2020-03-05 12:50 – Updated: 2024-08-05 02:32
VLAI?
Summary
Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mantis.testlink.org/view.php?id=8829"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/TLOpenSource/status/1212394020946751489"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/e2d88c9d7f8e02640ba65e5ff74b55d0399a53d0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/7647a7b53ceab31524cfcfb3beb8435af0a30fc1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d27690c6cb7708a6db0701b6428381d32d51495a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/942c406fcee5d376235a264cb8a79300a0002d20"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/146b4f38010a48c36b7d9650060ca354c92ab4ac"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/bcf7b971b5c88ea08d2dc47685f319be3b02cea8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mantis.testlink.org/view.php?id=8829#c29360"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-05T15:12:27.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mantis.testlink.org/view.php?id=8829"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/TLOpenSource/status/1212394020946751489"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/e2d88c9d7f8e02640ba65e5ff74b55d0399a53d0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/7647a7b53ceab31524cfcfb3beb8435af0a30fc1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d27690c6cb7708a6db0701b6428381d32d51495a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/942c406fcee5d376235a264cb8a79300a0002d20"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/146b4f38010a48c36b7d9650060ca354c92ab4ac"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/bcf7b971b5c88ea08d2dc47685f319be3b02cea8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mantis.testlink.org/view.php?id=8829#c29360"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20107",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://mantis.testlink.org/view.php?id=8829",
"refsource": "MISC",
"url": "http://mantis.testlink.org/view.php?id=8829"
},
{
"name": "https://twitter.com/TLOpenSource/status/1212394020946751489",
"refsource": "MISC",
"url": "https://twitter.com/TLOpenSource/status/1212394020946751489"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/e2d88c9d7f8e02640ba65e5ff74b55d0399a53d0",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/e2d88c9d7f8e02640ba65e5ff74b55d0399a53d0"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/7647a7b53ceab31524cfcfb3beb8435af0a30fc1",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/7647a7b53ceab31524cfcfb3beb8435af0a30fc1"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d27690c6cb7708a6db0701b6428381d32d51495a",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d27690c6cb7708a6db0701b6428381d32d51495a"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/942c406fcee5d376235a264cb8a79300a0002d20",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/942c406fcee5d376235a264cb8a79300a0002d20"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/146b4f38010a48c36b7d9650060ca354c92ab4ac",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/146b4f38010a48c36b7d9650060ca354c92ab4ac"
},
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/bcf7b971b5c88ea08d2dc47685f319be3b02cea8",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/bcf7b971b5c88ea08d2dc47685f319be3b02cea8"
},
{
"name": "http://mantis.testlink.org/view.php?id=8829#c29360",
"refsource": "MISC",
"url": "http://mantis.testlink.org/view.php?id=8829#c29360"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20107",
"datePublished": "2020-03-05T12:50:19.000Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-08-05T02:32:10.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8841 (GCVE-0-2020-8841)
Vulnerability from cvelistv5 – Published: 2020-02-10 20:24 – Updated: 2024-08-04 10:12
VLAI?
Summary
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ver007/testlink-1.9.19-sqlinject"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-10T20:24:45.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ver007/testlink-1.9.19-sqlinject"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8841",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239",
"refsource": "MISC",
"url": "https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239"
},
{
"name": "https://github.com/ver007/testlink-1.9.19-sqlinject",
"refsource": "MISC",
"url": "https://github.com/ver007/testlink-1.9.19-sqlinject"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8841",
"datePublished": "2020-02-10T20:24:45.000Z",
"dateReserved": "2020-02-10T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:12:10.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}