TestLink 1.9.20 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) Vulnerability


TestLink 1.9.20 suffers from improper neutralization of special elements used in an sql  command (‘SQL Injection’) vulnerability.




The information has been provided by Miguel Delgado

The original article can be found at:https://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/



A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.


Vulnerable Systems:

TestLink 1.9.20


CVE Information:


Disclosure Timeline:
Published Date:4/3/2020

Categories: FeaturedNews