Vendor CVEs
Testlink
All CVEs
31 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-7390 | Cri | 0.64 | 9.8 | 0.02 | Sep 26, 2017 | SQL injection vulnerability in TestLink before 1.9.14 allows remote attackers to execute arbitrary SQL commands via the apikey parameter to lnl.php. | ||
| CVE-2018-7668 | Hig | 0.49 | 7.5 | 0.02 | Mar 5, 2018 | TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php. | ||
| CVE-2015-7391 | Med | 0.40 | 6.1 | 0.01 | Sep 26, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date parameter to lib/results/tcCreatedPerUserOnTestProject.php; the (3) containerType… | ||
| CVE-2020-8639 | 0.04 | — | 0.16 | Apr 3, 2020 | An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute… | |||
| CVE-2018-7466 | Hig | 0.04 | 7.5 | 0.06 | Feb 25, 2018 | install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value. | ||
| CVE-2014-5308 | 0.03 | — | 0.04 | Oct 8, 2014 | Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php. | |||
| CVE-2012-0938 | 0.03 | — | 0.06 | Aug 14, 2014 | Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter in the display_children function to (1) getrequirementnodes.php or (2)… | |||
| CVE-2009-4238 | 0.03 | — | 0.01 | Dec 10, 2009 | Multiple SQL injection vulnerabilities in TestLink before 1.8.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the Test Case ID field to lib/general/navBar.php or (2) the logLevel parameter to lib/events/eventviewer.php. | |||
| CVE-2009-4237 | 0.03 | — | 0.03 | Dec 10, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the req parameter to login.php, and allow remote authenticated users to inject arbitrary web script or HTML via (2) the key… | |||
| CVE-2024-46097 | 0.00 | — | 0.00 | Sep 27, 2024 | TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application… | |||
| CVE-2024-42906 | 0.00 | — | 0.00 | Aug 26, 2024 | TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name. | |||
| CVE-2023-50110 | 0.00 | — | 0.01 | Dec 30, 2023 | TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used. | |||
| CVE-2022-35196 | 0.00 | — | 0.00 | Sep 20, 2022 | TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php. | |||
| CVE-2022-35194 | 0.00 | — | 0.01 | Sep 16, 2022 | TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php. | |||
| CVE-2022-35193 | 0.00 | — | 0.01 | Sep 16, 2022 | TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php. | |||
| CVE-2022-35195 | 0.00 | — | 0.01 | Sep 16, 2022 | TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php | |||
| CVE-2020-12273 | 0.00 | — | 0.01 | Apr 27, 2020 | In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials. | |||
| CVE-2020-12274 | 0.00 | — | 0.01 | Apr 27, 2020 | In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session. | |||
| CVE-2020-8638 | 0.00 | — | 0.02 | Apr 3, 2020 | A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter. | |||
| CVE-2020-8637 | 0.00 | — | 0.03 | Apr 3, 2020 | A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter. | |||
| CVE-2019-20107 | 0.00 | — | 0.02 | Mar 5, 2020 | Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id… | |||
| CVE-2020-8841 | 0.00 | — | 0.01 | Feb 10, 2020 | An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection. | |||
| CVE-2019-20381 | 0.00 | — | 0.01 | Jan 20, 2020 | TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491. | |||
| CVE-2019-19491 | 0.00 | — | 0.01 | Dec 2, 2019 | TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request. | |||
| CVE-2019-14471 | 0.00 | — | 0.01 | Aug 1, 2019 | TestLink 1.9.19 has XSS via the error.php message parameter. | |||
| CVE-2014-8082 | 0.00 | — | 0.03 | Oct 31, 2014 | lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message. | |||
| CVE-2014-8081 | 0.00 | — | 0.04 | Oct 31, 2014 | lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter. | |||
| CVE-2012-0939 | 0.00 | — | 0.01 | Aug 14, 2014 | Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier allow remote authenticated users with the Requirement view permission to execute arbitrary SQL commands via the req_spec_id parameter to (1) reqSpecAnalyse.php, (2) reqSpecPrint.php, or (3) reqSpecView.php in… | |||
| CVE-2012-2275 | 0.00 | — | 0.03 | Sep 15, 2012 | Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information, as demonstrated by changing the administrator's email via an… | |||
| CVE-2008-5807 | 0.00 | — | 0.01 | Dec 31, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8 RC1 allow remote attackers to inject arbitrary web script or HTML via (1) Testproject Names and (2) Testplan Names in planEdit.php, and possibly (3) Testcaseprefixes in projectview.tpl. | |||
| CVE-2007-6006 | 0.00 | — | 0.01 | Nov 15, 2007 | TestLink before 1.7.1 does not enforce an unspecified authorization mechanism, which has unknown impact and attack vectors. |
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in TestLink before 1.9.14 allows remote attackers to execute arbitrary SQL commands via the apikey parameter to lnl.php.
- risk 0.49cvss 7.5epss 0.02
TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php.
- risk 0.40cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date parameter to lib/results/tcCreatedPerUserOnTestProject.php; the (3) containerType…
- CVE-2020-8639Apr 3, 2020risk 0.04cvss —epss 0.16
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute…
- risk 0.04cvss 7.5epss 0.06
install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.
- CVE-2014-5308Oct 8, 2014risk 0.03cvss —epss 0.04
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php.
- CVE-2012-0938Aug 14, 2014risk 0.03cvss —epss 0.06
Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter in the display_children function to (1) getrequirementnodes.php or (2)…
- CVE-2009-4238Dec 10, 2009risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in TestLink before 1.8.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the Test Case ID field to lib/general/navBar.php or (2) the logLevel parameter to lib/events/eventviewer.php.
- CVE-2009-4237Dec 10, 2009risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the req parameter to login.php, and allow remote authenticated users to inject arbitrary web script or HTML via (2) the key…
- CVE-2024-46097Sep 27, 2024risk 0.00cvss —epss 0.00
TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application…
- CVE-2024-42906Aug 26, 2024risk 0.00cvss —epss 0.00
TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.
- CVE-2023-50110Dec 30, 2023risk 0.00cvss —epss 0.01
TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.
- CVE-2022-35196Sep 20, 2022risk 0.00cvss —epss 0.00
TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.
- CVE-2022-35194Sep 16, 2022risk 0.00cvss —epss 0.01
TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php.
- CVE-2022-35193Sep 16, 2022risk 0.00cvss —epss 0.01
TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php.
- CVE-2022-35195Sep 16, 2022risk 0.00cvss —epss 0.01
TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php
- CVE-2020-12273Apr 27, 2020risk 0.00cvss —epss 0.01
In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials.
- CVE-2020-12274Apr 27, 2020risk 0.00cvss —epss 0.01
In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session.
- CVE-2020-8638Apr 3, 2020risk 0.00cvss —epss 0.02
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter.
- CVE-2020-8637Apr 3, 2020risk 0.00cvss —epss 0.03
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
- CVE-2019-20107Mar 5, 2020risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id…
- CVE-2020-8841Feb 10, 2020risk 0.00cvss —epss 0.01
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.
- CVE-2019-20381Jan 20, 2020risk 0.00cvss —epss 0.01
TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491.
- CVE-2019-19491Dec 2, 2019risk 0.00cvss —epss 0.01
TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request.
- CVE-2019-14471Aug 1, 2019risk 0.00cvss —epss 0.01
TestLink 1.9.19 has XSS via the error.php message parameter.
- CVE-2014-8082Oct 31, 2014risk 0.00cvss —epss 0.03
lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message.
- CVE-2014-8081Oct 31, 2014risk 0.00cvss —epss 0.04
lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter.
- CVE-2012-0939Aug 14, 2014risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier allow remote authenticated users with the Requirement view permission to execute arbitrary SQL commands via the req_spec_id parameter to (1) reqSpecAnalyse.php, (2) reqSpecPrint.php, or (3) reqSpecView.php in…
- CVE-2012-2275Sep 15, 2012risk 0.00cvss —epss 0.03
Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information, as demonstrated by changing the administrator's email via an…
- CVE-2008-5807Dec 31, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8 RC1 allow remote attackers to inject arbitrary web script or HTML via (1) Testproject Names and (2) Testplan Names in planEdit.php, and possibly (3) Testcaseprefixes in projectview.tpl.
- CVE-2007-6006Nov 15, 2007risk 0.00cvss —epss 0.01
TestLink before 1.7.1 does not enforce an unspecified authorization mechanism, which has unknown impact and attack vectors.