CVE-2019-19491

Name of the Vulnerable Software and Affected Versions TestLink version 1.9.19

Description The issue allows for XSS attacks through specific parameters and requests. This can be achieved via the edit parameter in lib/testcases/archiveData.php, the reqURI parameter in index.php, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request.

Recommendations For TestLink version 1.9.19, as a temporary workaround, consider restricting access to the lib/testcases/archiveData.php and lib/testcases/tcEdit.php files, and avoid using the edit and reqURI parameters in index.php until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.