PT-2012-3914 · Testlink · Testlink
Published
2012-09-15
·
Updated
2017-08-29
·
CVE-2012-2275
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
TestLink versions 1.9.3 and earlier
Description
The issue allows remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information. This can be demonstrated by changing the administrator's email via an editUser action to "lib/usermanagement/userInfo.php".
Recommendations
For TestLink versions 1.9.3 and earlier, consider restricting access to the "lib/usermanagement/userInfo.php" endpoint to minimize the risk of exploitation. As a temporary workaround, restrict the
editUser action until a patch is available.Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Testlink