CVE-2024-46097 is an access control vulnerability identified in TestLink version 1.9.20, a widely used open-source test management tool. The issue arises in the TestPlan editing section, where each TestPlan is assigned an incremental identifier (tplan_id) upon creation. The vulnerability stems from the application's failure to verify user permissions when the tplan_id parameter is manipulated during edit operations. This lack of authorization checks allows users with minimal privileges to enumerate all TestPlan IDs, including those reserved for administrative use, and modify them arbitrarily. The vulnerability is classified under CWE-284 (Improper Access Control). The CVSS v3.1 base score is 8.1, reflecting high severity due to network exploitable attack vector, low attack complexity, and the requirement of only low privileges without user interaction. The impact includes unauthorized disclosure and modification of test plans, which can compromise the integrity of software testing processes and potentially lead to flawed software releases. Although no patches or known exploits are currently documented, the vulnerability presents a significant risk to organizations relying on TestLink for test management. The flaw can be exploited remotely over the network, making it critical to address promptly.

The vulnerability allows unauthorized users with minimal privileges to access and modify all TestPlans, including those meant for administrators. This compromises the confidentiality of sensitive test data and the integrity of the testing process, potentially leading to incorrect test results and flawed software releases. Organizations relying on TestLink for quality assurance may face operational disruptions and increased risk of software defects reaching production. The ease of exploitation over the network without user interaction increases the likelihood of abuse. Although availability is not directly impacted, the integrity and confidentiality breaches can have cascading effects on software development lifecycles and compliance requirements. The vulnerability could also be leveraged as a foothold for further attacks within an organization's infrastructure if combined with other weaknesses.

Since no official patches are currently available, organizations should implement strict access control measures at the application and network layers. This includes restricting TestLink access to trusted users and networks, enforcing strong authentication and role-based access controls, and monitoring for unusual activity related to TestPlan editing. Input validation and parameter tampering detection mechanisms should be employed to detect and block unauthorized manipulation of the tplan_id parameter. Organizations should consider deploying web application firewalls (WAFs) with custom rules to prevent unauthorized access attempts. Regular audits of user permissions and TestPlan modifications can help detect exploitation attempts early. Additionally, organizations should stay alert for updates or patches from the TestLink project and apply them promptly once available. Isolating the TestLink server from public internet exposure can further reduce risk.