Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.
AnalysisAI
SQL injection in qdPM 9.1 timeReport endpoint enables remote unauthenticated attackers to extract database contents via crafted filter_by parameters in POST requests. Public exploit code exists (Exploit-DB 45767), and CISA SSVC framework confirms proof-of-concept availability with automatable exploitation. Despite 8.8 CVSS severity, EPSS risk probability remains low at 0.07% (21st percentile), suggesting limited observed exploitation activity. Attackers can retrieve sensitive project management data including credentials, user information, and business records without authentication.
Technical ContextAI
qdPM is an open-source web-based project management tool built on PHP. This vulnerability affects the timeReport module where user-supplied filter_by array parameters (specifically CommentCreatedFrom and CommentCreatedTo fields) are incorporated into SQL queries without proper sanitization or parameterization. The CWE-89 classification indicates classic SQL injection where metacharacters in user input break out of intended query structure, allowing arbitrary SQL command execution. The application likely uses string concatenation to build queries rather than prepared statements with bound parameters. The CVSS vector CVSS:4.0/AV:N/AC:L/PR:N/UI:N indicates network-accessible exploitation with low complexity requiring no privileges or user interaction, while VC:H/VI:L shows high confidentiality impact with limited integrity impact, consistent with data exfiltration capabilities.
RemediationAI
Upgrade qdPM to version 9.2 or later if available, verifying release notes address CVE-2018-25208 at http://qdpm.net. If immediate patching is not feasible, implement compensating controls: deploy web application firewall rules to block POST requests to /timeReport containing special SQL characters (single quotes, semicolons, SQL keywords) in filter_by parameters, recognizing this may break legitimate date filtering functionality requiring UX testing. Restrict network access to qdPM installation using IP allowlisting or VPN requirement, eliminating unauthenticated remote attack vector entirely but impacting remote workforce accessibility. Enable database query logging and configure alerts for suspicious patterns (UNION SELECT, information_schema access, unusual timeReport queries) to detect exploitation attempts, though this provides detection not prevention. Review application logs since deployment for POST requests to timeReport with anomalous filter_by values to identify potential historical compromise. Long-term solution requires code remediation using prepared statements with parameterized queries for all filter_by parameter processing. VulnCheck advisory available at https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters provides additional technical details.
Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6)
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. Rated high severity (CVSS 8.8), this vulnera
qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the
In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability w
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL c
qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI. Rated high severity (CVSS 8.8)
qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/a
Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to
qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI. Rated high severity
Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or
qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. Rated medium severity (CVSS 6.1
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. Rated medium severity (CVSS 6.1), th
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2018-21675
GHSA-xfmc-rj6p-7fpg