Skip to main content

Testlink CVE-2024-42906

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-08-26 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 26, 2024 - 20:15 nvd
MEDIUM 6.1

DescriptionNVD

TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.

AnalysisAI

TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name. Affected products include: Testlink.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2012-0938 MEDIUM POC
6.5 Aug 14

Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with cert

CVE-2014-5308 CRITICAL POC
9.0 Oct 08

Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL comm

CVE-2020-8638 CRITICAL POC
9.8 Apr 03

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php v

CVE-2020-8637 CRITICAL POC
9.8 Apr 03

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes

CVE-2022-35196 HIGH POC
8.8 Sep 20

TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php. Rated high se

CVE-2020-8639 HIGH POC
8.8 Apr 03

An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute ar

CVE-2020-8841 HIGH POC
8.8 Feb 10

An issue was discovered in TestLink 1.9.19. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2014-8081 HIGH POC
7.5 Oct 31

lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks

CVE-2024-46097 HIGH POC
8.1 Sep 27

TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. Rated high severity (CVSS 8.1

CVE-2023-50110 HIGH POC
7.5 Dec 30

TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used. Rated high severity (CVS

CVE-2020-12273 HIGH POC
7.5 Apr 27

In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials. Rated high severity (CVSS 7.5),

CVE-2018-7668 HIGH POC
7.5 Mar 05

TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachment

Share

CVE-2024-42906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy