CVE-2018-7466

Published: Feb 25, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.

Affected (1)

Products: Testlink: Testlink

Testlink

1 product

Testlink

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Testlink Testlink	Up to 1.9.16

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/9696012eecbafb0aa21cc346234512c29b474679

Source: cve@mitre.org

PatchThird Party Advisory

https://www.exploit-db.com/exploits/44226/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://www.exploit-db.com/exploits/44349/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/9696012eecbafb0aa21cc346234512c29b474679

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.exploit-db.com/exploits/44226/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://www.exploit-db.com/exploits/44349/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.