RSS   Vulnerabilities for 'QDPM'   RSS

2019-05-14
 
CVE-2019-8391

CWE-79
 

 
qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.

 
 
CVE-2019-8390

CWE-79
 

 
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.

 
2017-03-17
 
CVE-2015-3884

 

 
Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/.

 
 
CVE-2015-3883

 

 
Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2) "Name of application" on index.php/configuration; (3) a new project name on index.php/projects; (4) the task name on index.php/tasks; (5) ticket name on index.php/tickets; (6) discussion name on index.php/discussions; (7) report name on index.php/projectReports; or (8) event name on index.php/scheduler/personal.

 
 
CVE-2015-3882

 

 
qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message.

 
 
CVE-2015-3881

 

 
Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3) core/apps/qdPM/config/settings.yml.

 


Copyright 2019, cxsecurity.com

 

Back to Top