CVE-2009-4237

TestLink < 1.8.5 - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4237.

AI-analyzed exploit summary This advisory from Core Security Technologies details multiple XSS and SQL injection vulnerabilities in TestLink versions 1.8.0 to 1.8.4. It includes technical analysis, proof-of-concept URLs, and patch recommendations.

Description

Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the req parameter to login.php, and allow remote authenticated users to inject arbitrary web script or HTML via (2) the key parameter to lib/general/staticPage.php, (3) the tableName parameter to lib/attachments/attachmentupload.php, or the (4) startDate, (5) endDate, or (6) logLevel parameter to lib/events/eventviewer.php; (7) the search_notes_string parameter to lib/results/resultsMoreBuilds_buildReport.php; or the (8) expected_results, (9) name, (10) steps, or (11) summary parameter in a find action to lib/testcases/searchData.php, related to lib/functions/database.class.php.

Exploits (1)

exploitdb WRITEUP
webappsphp
https://www.exploit-db.com/exploits/10364

This advisory from Core Security Technologies details multiple XSS and SQL injection vulnerabilities in TestLink versions 1.8.0 to 1.8.4. It includes technical analysis, proof-of-concept URLs, and patch recommendations.

Classification
Writeup 100%
Attack Type
Xss | Sqli
Complexity
Trivial
Reliability
Reliable
Target: TestLink 1.8.0-1.8.4
No auth needed
Prerequisites: Access to TestLink login page for unauthenticated XSS · Authenticated session for other vulnerabilities
mistral-large-3 · analyzed Feb 19, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37258
Patch, Vendor Advisory, URL Repurposed x_refsource_confirm
http://www.teamst.org/index.php?option=com_content&task=view&id=84&Itemid=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/60915
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/60918
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/60917
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0221.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/60914
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/60916

Scores

EPSS 0.0331
EPSS Percentile 87.1%

Details

CWE
CWE-79
Status published
Products (9)
teamst/testlink 1.7
teamst/testlink 1.7.1
teamst/testlink 1.7.4
teamst/testlink 1.8 rc1
teamst/testlink 1.8.0
teamst/testlink 1.8.1
teamst/testlink 1.8.2
teamst/testlink 1.8.3
teamst/testlink < 1.8.4
Published Dec 10, 2009
Tracked Since Feb 18, 2026