CVE-2007-5289

Currently unrated

Key Information:

Vendor: HP
Status: Mercury Quality Center; Testdirector
Vendor: CVE Published:; 24 February 2009

Summary

HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirector, relies on cached client-side scripts to implement "workflow" and decisions about the "capability" of a user, which allows remote attackers to execute arbitrary code via crafted use of the Open Test Architecture (OTA) API, as demonstrated by modifying (1) common.tds, (2) defects.tds, (3) manrun.tds, (4) req.tds, (5) testlab.tds, or (6) testplan.tds in %tmp%\TD_80, and then setting the file's properties to read-only.

References

http://secunia.com/advisories/34046

third-party-advisoryx_refsource_SECUNIA

http://www.securityfocus.com/archive/1/501177/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://www.securityfocus.com/bid/33854

vdb-entryx_refsource_BID

EPSS Score

16% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Feb 24, 2009
Vulnerability Reserved
Oct 9, 2007