CVE-2020-8637

CRITICAL LAB

TestLink <1.9.20 - SQL Injection

Title source: llm

Description

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.

Exploits (1)

nomisec WORKING POC

by DXY0411 · poc

https://github.com/DXY0411/CVE-2020-8637

View Code ZIP pw:eip

References (2)

[Exploit, Patch, Third Party Advisory] https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/

[Patch, Third Party Advisory] https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d99bd8277d384f3417e917ce20bef5d061110343

Scores

CVSS v3 9.8

EPSS 0.1116

EPSS Percentile 93.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull bitnami/testlink:1.9.20-debian-10-r12

https://github.com/DXY0411/CVE-2020-8637

View in Library

Details

CWE

CWE-89

Status published

Products (1)

testlink/testlink 1.9.20

Published Apr 03, 2020

Tracked Since Feb 18, 2026