CVE-2009-4237

TestLink <1.8.5 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the req parameter to login.php, and allow remote authenticated users to inject arbitrary web script or HTML via (2) the key parameter to lib/general/staticPage.php, (3) the tableName parameter to lib/attachments/attachmentupload.php, or the (4) startDate, (5) endDate, or (6) logLevel parameter to lib/events/eventviewer.php; (7) the search_notes_string parameter to lib/results/resultsMoreBuilds_buildReport.php; or the (8) expected_results, (9) name, (10) steps, or (11) summary parameter in a find action to lib/testcases/searchData.php, related to lib/functions/database.class.php.

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/10364

View on exploitdb

References (9)

[Third Party Advisory] http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0221.html

[Exploit] http://www.coresecurity.com/content/testlink-multiple-injection-vulnerabilities

[Exploit, Patch] http://www.securityfocus.com/bid/37258

[Patch, Vendor Advisory, URL Repurposed] http://www.teamst.org/index.php?option=com_content&task=view&id=84&Itemid=2

[Third Party Advisory, VDB Entry] http://osvdb.org/60914

[Third Party Advisory, VDB Entry] http://osvdb.org/60915

[Third Party Advisory, VDB Entry] http://osvdb.org/60916

[Third Party Advisory, VDB Entry] http://osvdb.org/60917

[Third Party Advisory, VDB Entry] http://osvdb.org/60918

Scores

EPSS 0.0091

EPSS Percentile 75.5%

Classification

CWE

CWE-79

Status published

Affected Products (10)

teamst/testlink < 1.8.4

teamst/testlink

teamst/testlink

teamst/testlink

teamst/testlink

teamst/testlink

teamst/testlink

teamst/testlink

teamst/testlink

n/a/n/a

Timeline

Published Dec 10, 2009

Tracked Since Feb 18, 2026