QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access.
QaTraq version 6.9.2 has built-in, default-enabled administrator account credentials (CWE-521: Weak Password Requirements). This account is active immediately after installation and accessible through the standard web application login page. An attacker who can reach this page — for example via the Internet or internal network — can log in using known default credentials and immediately take control of the application with administrator privileges.
An attacker gains full administrative access to the QaTraq application, which enables them to read, modify and delete test data as well as manage system configuration. According to related references, the vulnerability can be combined with other flaws (e.g. file upload leading to RCE), which may result in complete server takeover.
The default administrator account must be changed or disabled immediately after installation. It is recommended to check for available updates from the vendor (http://qatraq.com) and review references regarding the patched version. Until a patch is applied, access to the application login page should be restricted to trusted IP addresses only using a firewall or network-level access control mechanisms.
QaTraq version 6.9.2 in default installation configuration
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTestmanagement Qatraq
APPTestmanagement6.9.2