icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

TestLink < 1.8.5 Multiple Vulnerabilities

High

Synopsis

The remote web server is vulnerable to multiple attack vectors.

Description

The remote web server is hosting TestLink, a PHP-based testing suite. The installed version of TestLink is earlier than 1.8.5. Such versions are potentially affected by multiple vulnerabilities.

- A cross-site scripting vulnerability in the 'req' parameter of the 'login.php' script which does not require credentials to exploit.

- Cross-site scripting vulnerabilities in the 'key' parameter of the '/lib/general/staticPage.php script, the 'tableName' parameter of the '/lib/attachments/attachmentupload.php' script, and the 'startDate', 'endDate', and 'logLevel' parameters of the '/lib/events/eventviewer.php' script. - Multiple SQL-injection vulnerabilities in the 'Test Case ID' field of the '/lib/general/navBar.php' script, and the 'logLevel' parameter of the '/lib/events/eventviewer.php' script.

Solution

Upgrade to TestLink 1.8.5 or later.