CVE-2024-46097

HIGH

Testlink - Improper Access Control

Title source: rule

Description

TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges.

Exploits (1)

github WRITEUP

by Alkatraz97 · poc

https://github.com/Alkatraz97/CVEs/tree/main/CVE-2024-46097.md

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://github.com/Alkatraz97/CVEs/blob/main/CVE-2024-46097.md

View Exploit ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0009

EPSS Percentile 25.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-284

Status published

Products (1)

testlink/testlink 1.9.20

Published Sep 27, 2024

Tracked Since Feb 18, 2026