Skip to main content

Qdpm CVE-2018-25208

| EUVDEUVD-2018-21675 HIGH
SQL Injection (CWE-89)
2026-03-26 VulnCheck GHSA-xfmc-rj6p-7fpg
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 20, 2026 - 14:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 14:22 vuln.today
cvss_changed
PoC Detected
Mar 26, 2026 - 15:13 vuln.today
Public exploit code
EUVD ID Assigned
Mar 26, 2026 - 12:00 euvd
EUVD-2018-21675
Analysis Generated
Mar 26, 2026 - 12:00 vuln.today
CVE Published
Mar 26, 2026 - 11:39 nvd
HIGH 8.8

DescriptionCVE.org

qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.

AnalysisAI

SQL injection in qdPM 9.1 timeReport endpoint enables remote unauthenticated attackers to extract database contents via crafted filter_by parameters in POST requests. Public exploit code exists (Exploit-DB 45767), and CISA SSVC framework confirms proof-of-concept availability with automatable exploitation. Despite 8.8 CVSS severity, EPSS risk probability remains low at 0.07% (21st percentile), suggesting limited observed exploitation activity. Attackers can retrieve sensitive project management data including credentials, user information, and business records without authentication.

Technical ContextAI

qdPM is an open-source web-based project management tool built on PHP. This vulnerability affects the timeReport module where user-supplied filter_by array parameters (specifically CommentCreatedFrom and CommentCreatedTo fields) are incorporated into SQL queries without proper sanitization or parameterization. The CWE-89 classification indicates classic SQL injection where metacharacters in user input break out of intended query structure, allowing arbitrary SQL command execution. The application likely uses string concatenation to build queries rather than prepared statements with bound parameters. The CVSS vector CVSS:4.0/AV:N/AC:L/PR:N/UI:N indicates network-accessible exploitation with low complexity requiring no privileges or user interaction, while VC:H/VI:L shows high confidentiality impact with limited integrity impact, consistent with data exfiltration capabilities.

RemediationAI

Upgrade qdPM to version 9.2 or later if available, verifying release notes address CVE-2018-25208 at http://qdpm.net. If immediate patching is not feasible, implement compensating controls: deploy web application firewall rules to block POST requests to /timeReport containing special SQL characters (single quotes, semicolons, SQL keywords) in filter_by parameters, recognizing this may break legitimate date filtering functionality requiring UX testing. Restrict network access to qdPM installation using IP allowlisting or VPN requirement, eliminating unauthenticated remote attack vector entirely but impacting remote workforce accessibility. Enable database query logging and configure alerts for suspicious patterns (UNION SELECT, information_schema access, unusual timeReport queries) to detect exploitation attempts, though this provides detection not prevention. Review application logs since deployment for POST requests to timeReport with anomalous filter_by values to identify potential historical compromise. Long-term solution requires code remediation using prepared statements with parameterized queries for all filter_by parameter processing. VulnCheck advisory available at https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters provides additional technical details.

More in Qdpm

View all
CVE-2015-3884 HIGH POC
8.8 Mar 17

Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6)

CVE-2020-7246 HIGH POC
8.8 Jan 21

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. Rated high severity (CVSS 8.8), this vulnera

CVE-2023-45856 CRITICAL POC
9.8 Oct 14

qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the

CVE-2020-11811 CRITICAL POC
9.8 Apr 16

In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability w

CVE-2019-25669 HIGH POC
8.8 Apr 05

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL c

CVE-2022-26180 HIGH POC
8.8 Apr 08

qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI. Rated high severity (CVSS 8.8)

CVE-2020-26165 HIGH POC
8.8 Dec 31

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/a

CVE-2015-3881 HIGH POC
7.5 Mar 17

Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to

CVE-2023-45855 HIGH POC
7.5 Oct 14

qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI. Rated high severity

CVE-2015-3883 MEDIUM POC
6.1 Mar 17

Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or

CVE-2019-8391 MEDIUM POC
6.1 May 14

qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. Rated medium severity (CVSS 6.1

CVE-2019-8390 MEDIUM POC
6.1 May 14

qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. Rated medium severity (CVSS 6.1), th

Share

CVE-2018-25208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy