CVE-2024-42906

MEDIUM

TestLink < 1.9.20 - Cross-Site Scripting via File Upload Pop-up

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-42906. PoCs published by Alkatraz97.

AI-analyzed exploit summary The repository contains detailed technical writeups for CVE-2024-42906, describing a reflected XSS vulnerability in TestLink Open Source Test Management. The writeup includes steps to reproduce the issue, impact analysis, and proof-of-concept images.

Description

TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.

Exploits (1)

github WRITEUP

by Alkatraz97 · poc

https://github.com/Alkatraz97/CVEs/tree/main/CVE-2024-42906.md

View Code ZIP pw:eip

The repository contains detailed technical writeups for CVE-2024-42906, describing a reflected XSS vulnerability in TestLink Open Source Test Management. The writeup includes steps to reproduce the issue, impact analysis, and proof-of-concept images.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: TestLink Open Source Test Management (before version 1.9.20 - Raijin)

No auth needed

Prerequisites: Access to the file upload function in TestLink

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit

https://github.com/Alkatraz97/CVEs/blob/main/CVE-2024-42906.md

View Exploit ZIP pw:eip

Product

https://testlink.org/

Scores

CVSS v3 6.1

EPSS 0.0033

EPSS Percentile 24.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

testlink/testlink < 1.9.20

Published Aug 26, 2024

Tracked Since Feb 18, 2026