CVE-2019-20107

Name of the Vulnerable Software and Affected Versions TestLink versions 1.9.19 and earlier

Description The issue allows remote authenticated users to execute arbitrary SQL commands via several parameters, including tproject id to "keywordsView.php", req spec id to "reqSpecCompareRevisions.php", requirement id to "reqCompareVersions.php", build id to "planUpdateTC.php", tplan id to "newest tcversions.php" and "tcCreatedPerUserGUI.php", tcase id to "tcAssign2Tplan.php", or testcase id to "tcCompareVersions.php". Authentication can often be easily achieved as a guest account, which can execute this attack, can be created by anyone in the default configuration.

Recommendations For TestLink versions 1.9.19 and earlier, update to a version later than 1.9.19 to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "keywordsView.php", "reqSpecCompareRevisions.php", "reqCompareVersions.php", "planUpdateTC.php", "newest tcversions.php", "tcCreatedPerUserGUI.php", "tcAssign2Tplan.php", and "tcCompareVersions.php", until a patch is available. Additionally, limit the creation of guest accounts to prevent unauthorized access.