TestLink up to and including 1.9.16 allows remote malicious users to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php.
testlink testlink