Vulnerabilities > Qdpm > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-09-09 CVE-2020-19515 Cross-site Scripting vulnerability in Qdpm 9.1
qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php.
network
low complexity
qdpm CWE-79
6.1
6.1
2021-08-26 CVE-2020-18468 Cross-site Scripting vulnerability in Qdpm 9.1
Cross Site Scripting (XSS) vulnerability exists in qdPM 9.1 in the Heading field found in the Login Page page under the General menu via a crafted website name by doing an authenticated POST HTTP request to /qdPM_9.1/index.php/configuration.
network
low complexity
qdpm CWE-79
5.4
5.4
2020-10-05 CVE-2020-26166 Cross-site Scripting vulnerability in Qdpm 9.1
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS.
network
low complexity
qdpm CWE-79
5.4
5.4
2020-04-16 CVE-2020-11814 Injection vulnerability in Qdpm 9.1
A Host Header Injection vulnerability in qdPM 9.1 may allow an attacker to spoof a particular header and redirect users to malicious websites.
network
low complexity
qdpm CWE-74
5.4
5.4
2019-05-14 CVE-2019-8391 Cross-site Scripting vulnerability in Qdpm 9.1
qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.
network
low complexity
qdpm CWE-79
6.1
6.1
2019-05-14 CVE-2019-8390 Cross-site Scripting vulnerability in Qdpm 9.1
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
network
low complexity
qdpm CWE-79
6.1
6.1
2017-03-17 CVE-2015-3883 Cross-site Scripting vulnerability in Qdpm 8.3
Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2) "Name of application" on index.php/configuration; (3) a new project name on index.php/projects; (4) the task name on index.php/tasks; (5) ticket name on index.php/tickets; (6) discussion name on index.php/discussions; (7) report name on index.php/projectReports; or (8) event name on index.php/scheduler/personal.
network
low complexity
qdpm CWE-79
6.1
6.1
2017-03-17 CVE-2015-3882 Information Exposure vulnerability in Qdpm 8.3
qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message.
network
low complexity
qdpm CWE-200
5.3
5.3