CVE-2012-0938

2014-08-1414:55:04

CWE-89

mitre

web.nvd.nist.gov

cve

sql injection

testlink

security

vulnerability

remote authenticated

nvd

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

8.2

Confidence

Low

EPSS

0.008

Percentile

81.5%

JSON

Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter in the display_children function to (1) getrequirementnodes.php or (2) gettprojectnodes.php in lib/ajax/; the (3) cfield_id parameter in an edit action to lib/cfields/cfieldsEdit.php; the (4) id parameter in an edit action or (5) plan_id parameter in a create action to lib/plan/planMilestonesEdit.php; or the req_spec_id parameter to (6) reqImport.php or (7) in a create action to reqEdit.php in lib/requirements/. NOTE: some of these details are obtained from third party information.

Affected configurations

Nvd

Node

testlinktestlinkMatch1.8.5b

testlinktestlinkMatch1.9.3

VendorProductVersionCPE
testlinktestlink1.8.5bcpe:2.3:a:testlink:testlink:1.8.5b:*:*:*:*:*:*:*
testlinktestlink1.9.3cpe:2.3:a:testlink:testlink:1.9.3:*:*:*:*:*:*:*