A severe security issue in Quality Center has been discovered by Exposit Limited. This issue can be used to corrupt Quality Center data or gain project administrator privileges.
The problem has been discovered in version 9.0 of Quality Center and it affects all the releases up to public patch 16. The issue also exists in version 9.2 up to latest public patch 3. We haven’t tested earlier releases of the product but we strongly believe that they are affected by the same issue.
Customers using Quality Center 9.0 or below are advised to upgrade to at least Quality Center 9.0 patch 16 in order to minimize the impact of this issue. Patch 16 and patch 18 limit the effect of the defect.
Customers using Quality Center 9.2 are also at risk of data corruption and should wait for a patch from HP Customer Support.
The issue has been reported to security instances under reference CVE-2007-5289 and vulnerability disclosure is being coordinated with the vendor (HP).
We will keep you updated as soon as a patch becomes available.
