QwikSec

Security Database

CVE

CWE

Training

CVE-2007-5289

Published: Feb 24, 2009

Modified: Aug 7, 2024

PUBLISHED

Description

HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirector, relies on cached client-side scripts to implement "workflow" and decisions about the "capability" of a user, which allows remote attackers to execute arbitrary code via crafted use of the Open Test Architecture (OTA) API, as demonstrated by modifying (1) common.tds, (2) defects.tds, (3) manrun.tds, (4) req.tds, (5) testlab.tds, or (6) testplan.tds in %tmp%\TD_80, and then setting the file's properties to read-only.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

third-party-advisory

x_refsource_SECUNIA

20090223 HP Quality Center vulnerability

mailing-list

x_refsource_BUGTRAQ

vdb-entry

x_refsource_BID

third-party-advisory

x_refsource_SECUNIA

hpqualitycenter-workflowscripts-sec-bypass(48860)

vdb-entry

x_refsource_XF

third-party-advisory

x_refsource_CERT-VN

20090224 Re: HP Quality Center vulnerability

mailing-list

x_refsource_BUGTRAQ

http://blogs.exposit.co.uk/2009/02/23/vulnerability-in-quality-center/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.