In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials.
testlink testlink 1.9.20