Vulnerability CVE-2019-8390


Published: 2019-05-14

Description:
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.

See advisories in our WLB2 database:
Topic
Author
Date
Low
qdPM 9.1 Cross Site Scripting
Mehmet Emiroglu
19.02.2019

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: QDPM
Product: QDPM 
Version: 9.1;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://packetstormsecurity.com/files/151723/qdPM-9.1-Cross-Site-Scripting.html
http://qdpm.net/download-qdpm-free-project-management
http://sourceforge.net/projects/qdpm
https://www.exploit-db.com/exploits/46399/

Related CVE
CVE-2019-8391
qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.
CVE-2015-3882
qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message.
CVE-2015-3883
Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2) "Name of application" on index.php/configuration; (3...
CVE-2015-3884
Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executa...
CVE-2015-3881
Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3) core/apps/qdPM/config/settings.yml.

Copyright 2019, cxsecurity.com

 

Back to Top