Arbitrary Code Execution Risk in HP Mercury Quality Center and TestDirector
CVE-2007-5289

Currently unrated

Key Information:

Vendor: HP
Status: Mercury Quality Center; Testdirector
Vendor: CVE Published:; 24 February 2009

Summary

HP Mercury Quality Center versions 9.2 and earlier, along with TestDirector, contain a vulnerability that exploits the reliance on cached client-side scripts to manage user workflows and access capabilities. By leveraging the Open Test Architecture (OTA) API, an attacker can manipulate specific files including common.tds, defects.tds, manrun.tds, req.tds, testlab.tds, and testplan.tds located in the temporary directory. Setting these files to read-only can facilitate unauthorized remote code execution, posing significant risks to system integrity and data security.

References

http://secunia.com/advisories/34046

third-party-advisoryx_refsource_SECUNIA

http://www.securityfocus.com/archive/1/501177/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://www.securityfocus.com/bid/33854

vdb-entryx_refsource_BID

EPSS Score

10% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Feb 24, 2009
Vulnerability Reserved
Oct 9, 2007