CVE-2015-7391

Name of the Vulnerable Software and Affected Versions TestLink versions prior to 1.9.14

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including selected end date and selected start date to '/lib/results/tcCreatedPerUserOnTestProject.php', containerType to '/lib/testcases/containerEdit.php', filter tc id or filter testcase name to '/lib/testcases/listTestCases.php', useRecursion to '/lib/testcases/tcImport.php', targetTestCase or created by to '/lib/testcases/tcSearch.php', or the HTTP Referer header to '/third party/user contribution/fakeRemoteExecServer/client4fakeXMLRPCTestRunner.php'.

Recommendations For versions prior to 1.9.14, update to version 1.9.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints until the update is applied. Avoid using the vulnerable parameters selected end date, selected start date, containerType, filter tc id, filter testcase name, useRecursion, targetTestCase, and created by in the respective endpoints until the issue is resolved.