RSS   Vulnerabilities for 'Testlink'   RSS

2020-02-10
 
CVE-2020-8841

CWE-89
 

 
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.

 
2020-01-20
 
CVE-2019-20381

CWE-79
 

 
TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491.

 
2019-12-02
 
CVE-2019-19491

CWE-79
 

 
TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request.

 
2019-08-01
 
CVE-2019-14471

CWE-79
 

 
TestLink 1.9.19 has XSS via the error.php message parameter.

 
2018-03-05
 
CVE-2018-7668

CWE-200
 

 
TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php.

 
2018-02-25
 
CVE-2018-7466

CWE-94
 

 
install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.

 
2017-09-26
 
CVE-2015-7391

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date parameter to lib/results/tcCreatedPerUserOnTestProject.php; the (3) containerType parameter to lib/testcases/containerEdit.php; the (4) filter_tc_id or (5) filter_testcase_name parameter to lib/testcases/listTestCases.php; the (6) useRecursion parameter to lib/testcases/tcImport.php; the (7) targetTestCase or (8) created_by parameter to lib/testcases/tcSearch.php; or the (9) HTTP Referer header to third_party/user_contribution/fakeRemoteExecServer/client4fakeXMLRPCTestRunner.php.

 
 
CVE-2015-7390

CWE-89
 

 
SQL injection vulnerability in TestLink before 1.9.14 allows remote attackers to execute arbitrary SQL commands via the apikey parameter to lnl.php.

 
2014-10-31
 
CVE-2014-8082

CWE-200
 

 
lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message.

 
 
CVE-2014-8081

CWE-94
 

 
lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter.

 


Copyright 2020, cxsecurity.com

 

Back to Top