CVE-2024-46097

Name of the Vulnerable Software and Affected Versions TestLink version 1.9.20

Description The issue is related to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function, it is possible to change the tplan id parameter to another ID. The application does not carry out a check on the user's permissions, making it possible to recover the IDs of all the TestPlans, including administrative ones, and modify them even with minimal privileges.

Recommendations For TestLink version 1.9.20, consider restricting access to the TestPlan editing section until a fix is available. As a temporary workaround, restrict the ability to modify the tplan id parameter to prevent unauthorized access to TestPlans. At the moment, there is no information about a newer version that contains a fix for this vulnerability.