Testlink

testlink

Vendor: Testlink • 27 CVEs

CVEs (27)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-46097 1Testlink 1Testlink Jul 10, 2025 Sep 27, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can chang...Show more TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges.Show less
CVE-2024-42906 1Testlink 1Testlink Sep 5, 2024 Aug 26, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.
CVE-2023-50110 1Testlink 1Testlink Nov 21, 2024 Dec 30, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.
CVE-2022-35196 1Testlink 1Testlink May 29, 2025 Sep 20, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.
CVE-2022-35194 1Testlink 1Testlink Nov 21, 2024 Sep 16, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php.
CVE-2022-35195 1Testlink 1Testlink Nov 21, 2024 Sep 16, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php
CVE-2022-35193 1Testlink 1Testlink Nov 21, 2024 Sep 16, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php.
CVE-2020-12274 1Testlink 1Testlink Nov 21, 2024 Apr 27, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with t...Show more In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session.Show less
CVE-2020-12273 1Testlink 1Testlink Nov 21, 2024 Apr 27, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials.
CVE-2020-8639 1Testlink 1Testlink Nov 21, 2024 Apr 3, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker...Show more An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application.Show less
CVE-2020-8638 1Testlink 1Testlink Nov 21, 2024 Apr 3, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter.
CVE-2020-8637 1Testlink 1Testlink Nov 21, 2024 Apr 3, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
CVE-2019-20107 1Testlink 1Testlink Nov 21, 2024 Mar 5, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter t...Show more Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration.Show less
CVE-2020-8841 1Testlink 1Testlink Nov 21, 2024 Feb 10, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.
CVE-2019-20381 1Testlink 1Testlink Nov 21, 2024 Jan 20, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491.
CVE-2019-19491 1Testlink 1Testlink Nov 21, 2024 Dec 2, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request.
CVE-2019-14471 1Testlink 1Testlink Nov 21, 2024 Aug 1, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 TestLink 1.9.19 has XSS via the error.php message parameter.
CVE-2018-7668 1Testlink 1Testlink Nov 21, 2024 Mar 5, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php.
CVE-2018-7466 1Testlink 1Testlink Nov 21, 2024 Feb 25, 2018 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.
CVE-2015-7391 1Testlink 1Testlink May 13, 2026 Sep 26, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date parameter to lib/result...Show more Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date parameter to lib/results/tcCreatedPerUserOnTestProject.php; the (3) containerType parameter to lib/testcases/containerEdit.php; the (4) filter_tc_id or (5) filter_testcase_name parameter to lib/testcases/listTestCases.php; the (6) useRecursion parameter to lib/testcases/tcImport.php; the (7) targetTestCase or (8) created_by parameter to lib/testcases/tcSearch.php; or the (9) HTTP Referer header to third_party/user_contribution/fakeRemoteExecServer/client4fakeXMLRPCTestRunner.php.Show less

12 Next