Skip to main content

Testlink CVE-2024-46097

HIGH
Improper Access Control (CWE-284)
2024-09-27 cve@mitre.org
8.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 27, 2024 - 18:15 cve.org
HIGH 8.1

DescriptionCVE.org

TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges.

AnalysisAI

TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-284. TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges. Affected products include: Testlink.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2012-0938 MEDIUM POC
6.5 Aug 14

Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with cert

CVE-2014-5308 CRITICAL POC
9.0 Oct 08

Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL comm

CVE-2020-8638 CRITICAL POC
9.8 Apr 03

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php v

CVE-2020-8637 CRITICAL POC
9.8 Apr 03

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes

CVE-2022-35196 HIGH POC
8.8 Sep 20

TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php. Rated high se

CVE-2020-8639 HIGH POC
8.8 Apr 03

An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute ar

CVE-2020-8841 HIGH POC
8.8 Feb 10

An issue was discovered in TestLink 1.9.19. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2014-8081 HIGH POC
7.5 Oct 31

lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks

CVE-2023-50110 HIGH POC
7.5 Dec 30

TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used. Rated high severity (CVS

CVE-2020-12273 HIGH POC
7.5 Apr 27

In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials. Rated high severity (CVSS 7.5),

CVE-2018-7668 HIGH POC
7.5 Mar 05

TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachment

CVE-2018-7466 HIGH POC
7.5 Feb 25

install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging c

Share

CVE-2024-46097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy