Skip to main content

Testlink

27 CVEs product

Monthly

CVE-2024-46097 HIGH POC This Week

TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Testlink
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-42906 MEDIUM POC This Month

TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Testlink
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-50110 HIGH POC This Week

TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Testlink
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-35196 HIGH POC This Week

TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Testlink
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2022-35194 MEDIUM POC This Month

TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Testlink
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-35195 HIGH POC This Week

TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Testlink
NVD GitHub
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-35193 HIGH POC This Week

TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Testlink
NVD GitHub
CVSS 3.1
7.2
EPSS
1.0%
CVE-2020-12274 CRITICAL PATCH Act Now

In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure PHP Testlink
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2020-12273 HIGH POC PATCH This Week

In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure PHP Testlink
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2020-8639 HIGH POC PATCH THREAT This Week

An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload RCE PHP Testlink
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
15.9%
CVE-2020-8638 CRITICAL POC PATCH Act Now

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Testlink
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-8637 CRITICAL POC PATCH Act Now

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Testlink
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-8841 HIGH POC This Week

An issue was discovered in TestLink 1.9.19. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Testlink
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2019-19491 MEDIUM POC This Month

TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Testlink
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.8%
CVE-2019-10378 Maven MEDIUM This Month

Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Testlink
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2019-14471 MEDIUM POC This Month

TestLink 1.9.19 has XSS via the error.php message parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Testlink
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-1000113 Maven MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Testlink
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-7668 HIGH POC This Week

TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Testlink
NVD
CVSS 3.0
7.5
EPSS
1.5%
CVE-2018-7466 HIGH POC PATCH This Week

install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

Code Injection RCE PHP Testlink
NVD GitHub Exploit-DB
CVSS 3.0
7.5
EPSS
6.2%
CVE-2015-7391 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Testlink
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2015-7390 CRITICAL Act Now

SQL injection vulnerability in TestLink before 1.9.14 allows remote attackers to execute arbitrary SQL commands via the apikey parameter to lnl.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP Testlink
NVD
CVSS 3.0
9.8
EPSS
0.4%
CVE-2014-8082 MEDIUM POC This Month

lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Testlink
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2014-8081 HIGH POC This Week

lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Testlink
NVD
CVSS 2.0
7.5
EPSS
3.2%
CVE-2014-5308 CRITICAL POC THREAT Emergency

Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 17.0%.

PHP SQLi Testlink
NVD Exploit-DB
CVSS 2.0
9.0
EPSS
17.0%
CVE-2012-0939 MEDIUM This Month

Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier allow remote authenticated users with the Requirement view permission to execute arbitrary SQL commands via the req_spec_id. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Testlink
NVD
CVSS 2.0
6.5
EPSS
0.6%
CVE-2012-0938 MEDIUM POC THREAT This Month

Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 29.4%.

PHP SQLi Testlink
NVD
CVSS 2.0
6.5
EPSS
29.4%
CVE-2012-2275 MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF PHP Testlink
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
0.4%
EPSS 0% CVSS 8.1
HIGH POC This Week

TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Testlink
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Testlink
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Testlink
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Testlink
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Testlink
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

TestLink 1.9.20 Raijin was discovered to contain a broken access control vulnerability at /lib/attachments/attachmentdownload.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Testlink
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Testlink
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure PHP Testlink
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure PHP Testlink
NVD GitHub
EPSS 16% CVSS 8.8
HIGH POC PATCH THREAT This Week

An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload RCE PHP +1
NVD GitHub Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Testlink
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Testlink
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered in TestLink 1.9.19. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Testlink
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Testlink
NVD Exploit-DB
EPSS 1% CVSS 5.3
MEDIUM This Month

Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Jenkins Information Disclosure Testlink
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

TestLink 1.9.19 has XSS via the error.php message parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Testlink
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XSS Testlink
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Testlink
NVD
EPSS 6% CVSS 7.5
HIGH POC PATCH This Week

install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

Code Injection RCE PHP +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Testlink
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection vulnerability in TestLink before 1.9.14 allows remote attackers to execute arbitrary SQL commands via the apikey parameter to lnl.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP Testlink
NVD
EPSS 1% CVSS 5.0
MEDIUM POC This Month

lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Testlink
NVD
EPSS 3% CVSS 7.5
HIGH POC This Week

lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD
EPSS 17% CVSS 9.0
CRITICAL POC THREAT Emergency

Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 17.0%.

PHP SQLi Testlink
NVD Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM This Month

Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier allow remote authenticated users with the Requirement view permission to execute arbitrary SQL commands via the req_spec_id. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Testlink
NVD
EPSS 29% CVSS 6.5
MEDIUM POC THREAT This Month

Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 29.4%.

PHP SQLi Testlink
NVD
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF PHP Testlink
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy