Description
Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information, as demonstrated by changing the administrator's email via an editUser action to lib/usermanagement/userInfo.php.
Exploits (1)
exploitdb
WORKING POC
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/21135
References (8)
Core 8
Core References
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/21135
Exploit x_refsource_misc
http://packetstormsecurity.org/files/116275/TestLink-1.9.3-Cross-Site-Request-Forgery.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/78306
Exploit mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-09/0023.html
Exploit, Patch x_refsource_confirm
http://gitorious.org/testlink-ga/testlink-code/commit/252788c2373e73173172ada9af661e0721599891
Exploit, Patch x_refsource_confirm
http://gitorious.org/testlink-ga/testlink-code/commit/c8751a3c9ad8970b49d1bf882203efacd10af087
Exploit, Patch x_refsource_confirm
http://gitorious.org/testlink-ga/testlink-code/commit/2d4ac941314f8bda80e265c9de8bacf17d1cd3e6
Exploit x_refsource_misc
https://www.htbridge.com/advisory/HTB23088
Scores
EPSS
0.0039
EPSS Percentile
59.8%
Details
CWE
CWE-352
Status
published
Products (13)
teamst/testlink
1.7
teamst/testlink
1.7.0
teamst/testlink
1.7.1
teamst/testlink
1.7.2
teamst/testlink
1.7.3
teamst/testlink
1.7.4
teamst/testlink
1.8 (5 CPE variants)
teamst/testlink
1.8.0
teamst/testlink
1.8.1
teamst/testlink
1.8.2
... and 3 more
Published
Sep 15, 2012
Tracked Since
Feb 18, 2026