CVE-2020-8639

Name of the Vulnerable Software and Affected Versions TestLink version 1.9.20

Description The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension to a publicly accessible directory of the application. This is made possible by an unrestricted file upload vulnerability in the keywordsImport.php file. An authenticated attacker can upload a malicious file containing PHP code to execute operating system commands.

Recommendations For TestLink version 1.9.20, consider restricting access to the keywordsImport.php file to prevent malicious file uploads until a patch is available. As a temporary workaround, restrict the types of files that can be uploaded to prevent executable files from being uploaded.