CVE-2009-4237

TestLink Test Management and Execution System - Multiple Cross-Site Scripting / Injection Vulnerabilities

Severity Score

5.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the req parameter to login.php, and allow remote authenticated users to inject arbitrary web script or HTML via (2) the key parameter to lib/general/staticPage.php, (3) the tableName parameter to lib/attachments/attachmentupload.php, or the (4) startDate, (5) endDate, or (6) logLevel parameter to lib/events/eventviewer.php; (7) the search_notes_string parameter to lib/results/resultsMoreBuilds_buildReport.php; or the (8) expected_results, (9) name, (10) steps, or (11) summary parameter in a find action to lib/testcases/searchData.php, related to lib/functions/database.class.php.

Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en TestLink en versiones anteriores a v1.8.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) el parámetro "req" a login.php, y permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de (1) el parámetro "key" a lib/general/staticPage.php, (3) el parámetro "tableName" a lib/attachments/attachmentupload.php, o (4) los parámetros "startDate", (5) "endDate", o (6) "logLevel" a lib/events/eventviewer.php; (7) el parámetro "search_notes_string" a lib/results/resultsMoreBuilds_buildReport.php; o los parámetros (8) "expected_results", (9) "name", (10) "steps", o (11) "summary" en una acción "find" a lib/testcases/searchData.php, relacionado con lib/functions/database.class.php.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-12-09 CVE Reserved
2009-12-09 First Exploit
2009-12-10 CVE Published
2024-08-07 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (10)

URL	Tag	Source
http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0221.html	Mailing List
http://osvdb.org/60914	Vdb Entry
http://osvdb.org/60915	Vdb Entry
http://osvdb.org/60916	Vdb Entry
http://osvdb.org/60917	Vdb Entry
http://osvdb.org/60918	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/10364	2009-12-09
http://www.coresecurity.com/content/testlink-multiple-injection-vulnerabilities	2024-08-07
http://www.securityfocus.com/bid/37258	2024-08-07

URL	Date	SRC
http://www.teamst.org/index.php?option=com_content&task=view&id=84&Itemid=2	2024-02-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				<= 1.8.4 Search vendor "Teamst" for product "Testlink" and version " <= 1.8.4"		-		Affected
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				1.7 Search vendor "Teamst" for product "Testlink" and version "1.7"		-		Affected
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				1.7.1 Search vendor "Teamst" for product "Testlink" and version "1.7.1"		-		Affected
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				1.7.4 Search vendor "Teamst" for product "Testlink" and version "1.7.4"		-		Affected
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				1.8 Search vendor "Teamst" for product "Testlink" and version "1.8"		rc1		Affected
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				1.8.0 Search vendor "Teamst" for product "Testlink" and version "1.8.0"		-		Affected
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				1.8.1 Search vendor "Teamst" for product "Testlink" and version "1.8.1"		-		Affected
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				1.8.2 Search vendor "Teamst" for product "Testlink" and version "1.8.2"		-		Affected
Teamst Search vendor "Teamst"		Testlink Search vendor "Teamst" for product "Testlink"				1.8.3 Search vendor "Teamst" for product "Testlink" and version "1.8.3"		-		Affected