Unrated severityNVD Advisory· Published Aug 14, 2014· Updated May 6, 2026

CVE-2012-0938

Description

Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter in the display_children function to (1) getrequirementnodes.php or (2) gettprojectnodes.php in lib/ajax/; the (3) cfield_id parameter in an edit action to lib/cfields/cfieldsEdit.php; the (4) id parameter in an edit action or (5) plan_id parameter in a create action to lib/plan/planMilestonesEdit.php; or the req_spec_id parameter to (6) reqImport.php or (7) in a create action to reqEdit.php in lib/requirements/. NOTE: some of these details are obtained from third party information.

Affected products

Testlink/Testlink2 versions
cpe:2.3:a:testlink:testlink:1.8.5b:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:testlink:testlink:1.8.5b:*:*:*:*:*:*:*
- cpe:2.3:a:testlink:testlink:1.9.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.024
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000