Unrated severityNVD Advisory· Published Feb 24, 2009· Updated Apr 23, 2026

CVE-2007-5289

Description

HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirector, relies on cached client-side scripts to implement "workflow" and decisions about the "capability" of a user, which allows remote attackers to execute arbitrary code via crafted use of the Open Test Architecture (OTA) API, as demonstrated by modifying (1) common.tds, (2) defects.tds, (3) manrun.tds, (4) req.tds, (5) testlab.tds, or (6) testplan.tds in %tmp%\TD_80, and then setting the file's properties to read-only.

Affected products

Microfocus/Mercury Quality Center5 versions
cpe:2.3:a:hp:mercury_quality_center:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:hp:mercury_quality_center:*:*:*:*:*:*:*:*range: <=9.2
- cpe:2.3:a:hp:mercury_quality_center:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:mercury_quality_center:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:hp:mercury_quality_center:8.2:sp1:*:*:*:*:*:*
- cpe:2.3:a:hp:mercury_quality_center:9.0:*:*:*:*:*:*:*
Microfocus/Testdirector
cpe:2.3:a:hp:testdirector:-:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/34015nvdVendor Advisory
www.kb.cert.org/vuls/id/898865nvdUS Government Resource
blogs.exposit.co.uk/2009/02/23/vulnerability-in-quality-center/nvd
secunia.com/advisories/34046nvd
www.securityfocus.com/archive/1/501177/100/0/threadednvd
www.securityfocus.com/archive/1/501219/100/0/threadednvd
www.securityfocus.com/bid/33854nvd
exchange.xforce.ibmcloud.com/vulnerabilities/48860nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.020
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000