CVE-2012-2275

Name of the Vulnerable Software and Affected Versions TestLink versions 1.9.3 and earlier

Description The issue allows remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information. This can be demonstrated by changing the administrator's email via an editUser action to "lib/usermanagement/userInfo.php".

Recommendations For TestLink versions 1.9.3 and earlier, consider restricting access to the "lib/usermanagement/userInfo.php" endpoint to minimize the risk of exploitation. As a temporary workaround, restrict the editUser action until a patch is available.