TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 05 Sep 2024 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Testlink
Testlink testlink
CPEs cpe:2.3:a:testlink:testlink:*:*:*:*:*:*:*:*
Vendors & Products Testlink
Testlink testlink

Mon, 26 Aug 2024 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins testlink
Weaknesses CWE-79
CPEs cpe:2.3:a:jenkins:testlink:*:*:*:*:*:jenkins:*:*
Vendors & Products Jenkins
Jenkins testlink
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 26 Aug 2024 19:45:00 +0000

Type Values Removed Values Added
Description TestLink before v.1.9.20 is vulnerable to Cross Site Scripting (XSS) via the pop-up on upload file. When uploading a file, the XSS payload can be entered into the file name.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-26T20:48:33.520Z

Reserved: 2024-08-05T00:00:00

Link: CVE-2024-42906

cve-icon Vulnrichment

Updated: 2024-08-26T20:23:57.152Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-26T20:15:07.913

Modified: 2024-09-05T18:29:02.627

Link: CVE-2024-42906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.