Vulnerabilities > Qdpm

DATE CVE VULNERABILITY TITLE RISK
2023-10-14 CVE-2023-45855 Path Traversal vulnerability in Qdpm 9.2
qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI.
network
low complexity
qdpm CWE-22
7.5
2023-10-14 CVE-2023-45856 Unrestricted Upload of File with Dangerous Type vulnerability in Qdpm 9.2
qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI.
network
low complexity
qdpm CWE-434
critical
9.8
2022-04-08 CVE-2022-26180 Cross-Site Request Forgery (CSRF) vulnerability in Qdpm 9.2
qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI.
network
low complexity
qdpm CWE-352
8.8
2021-09-09 CVE-2020-19515 Cross-site Scripting vulnerability in Qdpm 9.1
qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php.
network
low complexity
qdpm CWE-79
6.1
2021-08-26 CVE-2020-18468 Cross-site Scripting vulnerability in Qdpm 9.1
Cross Site Scripting (XSS) vulnerability exists in qdPM 9.1 in the Heading field found in the Login Page page under the General menu via a crafted website name by doing an authenticated POST HTTP request to /qdPM_9.1/index.php/configuration.
network
low complexity
qdpm CWE-79
5.4
2020-12-31 CVE-2020-26165 Deserialization of Untrusted Data vulnerability in Qdpm 8.3/9.0/9.1
qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.
network
low complexity
qdpm CWE-502
8.8
2020-10-05 CVE-2020-26166 Cross-site Scripting vulnerability in Qdpm 9.1
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS.
network
low complexity
qdpm CWE-79
5.4
2020-04-16 CVE-2020-11814 Injection vulnerability in Qdpm 9.1
A Host Header Injection vulnerability in qdPM 9.1 may allow an attacker to spoof a particular header and redirect users to malicious websites.
network
low complexity
qdpm CWE-74
5.4
2020-04-16 CVE-2020-11811 Unrestricted Upload of File with Dangerous Type vulnerability in Qdpm 9.1
In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value.
network
low complexity
qdpm CWE-434
critical
9.8
2020-01-21 CVE-2020-7246 Unrestricted Upload of File with Dangerous Type vulnerability in Qdpm 8.3/9.0/9.1
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier.
network
low complexity
qdpm CWE-434
8.8