CVE-2019-20381 - TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. N

CVE-2019-20381

Summary

TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491.

References

http://mantis.testlink.org/view.php?id=8808
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/cde692895e425731e6951d265a01ca6425a7c26e
https://github.com/TestLinkOpenSourceTRMS/testlink-code/compare/1.9.19...1.9.20

Vulnerable Configurations

CVSS

Base:	5.0
Impact:
Exploitability:

Access

Vector	Complexity	Authentication

Impact

Confidentiality	Integrity	Availability

Last major update

20-01-2020 - 06:15

Published

20-01-2020 - 06:15

Last modified

21-01-2020 - 13:19