Vulnerabilities > Qdpm > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-08 | CVE-2022-26180 | Cross-Site Request Forgery (CSRF) vulnerability in Qdpm 9.2 qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI. | 6.8 |
| 2021-09-09 | CVE-2020-19515 | Cross-site Scripting vulnerability in Qdpm 9.1 qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php. | 4.3 |
| 2020-12-31 | CVE-2020-26165 | Code Injection vulnerability in Qdpm 8.3/9.0/9.1 qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. | 6.5 |
| 2020-04-16 | CVE-2020-11814 | Injection vulnerability in Qdpm 9.1 A Host Header Injection vulnerability in qdPM 9.1 may allow an attacker to spoof a particular header and redirect users to malicious websites. | 5.8 |
| 2019-05-14 | CVE-2019-8391 | Cross-site Scripting vulnerability in Qdpm 9.1 qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. | 4.3 |
| 2019-05-14 | CVE-2019-8390 | Cross-site Scripting vulnerability in Qdpm 9.1 qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. | 4.3 |
| 2017-03-17 | CVE-2015-3883 | Cross-site Scripting vulnerability in Qdpm 8.3 Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2) "Name of application" on index.php/configuration; (3) a new project name on index.php/projects; (4) the task name on index.php/tasks; (5) ticket name on index.php/tickets; (6) discussion name on index.php/discussions; (7) report name on index.php/projectReports; or (8) event name on index.php/scheduler/personal. | 4.3 |
| 2017-03-17 | CVE-2015-3882 | Information Exposure vulnerability in Qdpm 8.3 qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message. | 5.0 |
| 2017-03-17 | CVE-2015-3881 | Information Exposure vulnerability in Qdpm 8.3 Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3) core/apps/qdPM/config/settings.yml. | 5.0 |