CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8638
https://notcve.org/view.php?id=CVE-2020-8638
03 Apr 2020 — A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter. Una vulnerabilidad de inyección SQL en TestLink versión 1.9.20, permite a atacantes ejecutar comandos SQL arbitrarios en el archivo planUrgency.php por medio del parámetro urgency. • https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 8%CPEs: 1EXPL: 2CVE-2020-8637
https://notcve.org/view.php?id=CVE-2020-8637
03 Apr 2020 — A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter. Una vulnerabilidad de inyección SQL en TestLink versión 1.9.20, permite a atacantes ejecutar comandos SQL arbitrarios en el archivo dragdroptreenodes.php por medio del parámetro node_id. • https://github.com/DXY0411/CVE-2020-8637 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 4%CPEs: 1EXPL: 0CVE-2019-20107
https://notcve.org/view.php?id=CVE-2019-20107
05 Mar 2020 — Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.... • http://mantis.testlink.org/view.php?id=8829 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-8841
https://notcve.org/view.php?id=CVE-2020-8841
10 Feb 2020 — An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection. Se detectó un problema en TestLink versión 1.9.19. El parámetro relation_type del endpoint lib/require/reqSearch.php es vulnerable a una inyección SQL autenticada. • https://github.com/TestLinkOpenSourceTRMS/testlink-code/pull/239 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20381
https://notcve.org/view.php?id=CVE-2019-20381
20 Jan 2020 — TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491. TestLink versiones anteriores a 1.9.20, permite un ataque de tipo XSS por medio de un javascript sin minúsculas: en el parámetro reqURI del archivo index.php. NOTA: este problema se presenta debido a una corrección incompleta para el CVE-2019-19491. • http://mantis.testlink.org/view.php?id=8808 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19491
https://notcve.org/view.php?id=CVE-2019-19491
02 Dec 2019 — TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request. TestLink versión 1.9.19, presenta una vulnerabilidad de tipo XSS por medio del parámetro edit del archivo lib/testcases/archiveData.php, el parámetro reqURI en el archivo index.php o el URI en una petición lib/testcases/tcEdit.php?DoAction=doDeleteStep. • https://www.exploit-db.com/exploits/47702 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14471
https://notcve.org/view.php?id=CVE-2019-14471
01 Aug 2019 — TestLink 1.9.19 has XSS via the error.php message parameter. TestLink versión 1.9.19, presenta una vulnerabilidad de tipo XSS por medio del parámetro message en el archivo error.php. • https://code610.blogspot.com/2019/07/xss-in-testlink-1919.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7668
https://notcve.org/view.php?id=CVE-2018-7668
05 Mar 2018 — TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php. TestLink, hasta la versión 1.9.16, permite que atacantes remotos lean adjuntos arbitrarios mediante un campo ID modificado en /lib/attachments/attachmentdownload.php. • http://lists.openwall.net/full-disclosure/2018/02/28/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 13%CPEs: 1EXPL: 4CVE-2018-7466 – TestLink Open Source Test Management < 1.9.16 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-7466
25 Feb 2018 — install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value. install/installNewDB.php en TestLink, hasta la versión 1.9.16, permite que atacantes remotos lleven a cabo ataques de inyección aprovechando el control sobre los datos DB LOGIN NAMES durante la instalación para proporcionar un valor largo y manipulado. TestLink Open Source Test Management versions prior t... • https://packetstorm.news/files/id/146634 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7391 – TestLink 1.9.13 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-7391
07 Oct 2015 — Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date parameter to lib/results/tcCreatedPerUserOnTestProject.php; the (3) containerType parameter to lib/testcases/containerEdit.php; the (4) filter_tc_id or (5) filter_testcase_name parameter to lib/testcases/listTestCases.php; the (6) useRecursion parameter to lib/testcases/tcImport.php; the (7) targetTestCase or (8) ... • https://packetstorm.news/files/id/133891 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •