9.8 / 10
CRITICAL
CRITICAL
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
Weakness: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Published: 2020-04-03
Vulnerable Products
Community Advisory
This section is open source, for any additional information that enhances or clarifies the official advisory above.