Skip to main content

Qdpm

16 CVEs product

Monthly

CVE-2019-25669 HIGH POC This Week

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Qdpm
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2018-25208 HIGH POC This Week

SQL injection in qdPM 9.1 timeReport endpoint enables remote unauthenticated attackers to extract database contents via crafted filter_by parameters in POST requests. Public exploit code exists (Exploit-DB 45767), and CISA SSVC framework confirms proof-of-concept availability with automatable exploitation. Despite 8.8 CVSS severity, EPSS risk probability remains low at 0.07% (21st percentile), suggesting limited observed exploitation activity. Attackers can retrieve sensitive project management data including credentials, user information, and business records without authentication.

SQLi Information Disclosure Qdpm
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2023-45856 CRITICAL POC Act Now

qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP Qdpm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-45855 HIGH POC This Week

qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Qdpm
NVD GitHub
CVSS 3.1
7.5
EPSS
3.3%
CVE-2022-26180 HIGH POC This Week

qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Qdpm
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
3.8%
CVE-2020-26165 HIGH POC This Week

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Qdpm
NVD
CVSS 3.1
8.8
EPSS
2.5%
CVE-2020-26166 MEDIUM This Month

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload Qdpm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2020-11814 MEDIUM POC This Month

A Host Header Injection vulnerability in qdPM 9.1 may allow an attacker to spoof a particular header and redirect users to malicious websites. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Qdpm
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2020-11811 CRITICAL POC Act Now

In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Qdpm
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2020-7246 HIGH POC THREAT Act Now

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Path Traversal Qdpm
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
83.2%
CVE-2019-8391 MEDIUM POC This Month

qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Qdpm
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
3.3%
CVE-2019-8390 MEDIUM POC This Month

qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Qdpm
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
9.8%
CVE-2015-3884 HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 72.9%.

RCE File Upload Qdpm
NVD
CVSS 3.1
8.8
EPSS
72.9%
Threat
5.4
CVE-2015-3883 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Qdpm
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2015-3882 MEDIUM POC This Month

qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Qdpm
NVD
CVSS 3.0
5.3
EPSS
0.3%
CVE-2015-3881 HIGH POC This Week

Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Qdpm
NVD
CVSS 3.0
7.5
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH POC This Week

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Qdpm
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in qdPM 9.1 timeReport endpoint enables remote unauthenticated attackers to extract database contents via crafted filter_by parameters in POST requests. Public exploit code exists (Exploit-DB 45767), and CISA SSVC framework confirms proof-of-concept availability with automatable exploitation. Despite 8.8 CVSS severity, EPSS risk probability remains low at 0.07% (21st percentile), suggesting limited observed exploitation activity. Attackers can retrieve sensitive project management data including credentials, user information, and business records without authentication.

SQLi Information Disclosure Qdpm
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC This Week

qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Qdpm
NVD GitHub
EPSS 4% CVSS 8.8
HIGH POC This Week

qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Qdpm
NVD Exploit-DB
EPSS 3% CVSS 8.8
HIGH POC This Week

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Qdpm
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload Qdpm
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

A Host Header Injection vulnerability in qdPM 9.1 may allow an attacker to spoof a particular header and redirect users to malicious websites. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Qdpm
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Qdpm
NVD
EPSS 83% CVSS 8.8
HIGH POC THREAT Act Now

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Path Traversal +1
NVD Exploit-DB
EPSS 3% CVSS 6.1
MEDIUM POC This Month

qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Qdpm
NVD Exploit-DB
EPSS 10% CVSS 6.1
MEDIUM POC This Month

qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Qdpm
NVD Exploit-DB
EPSS 73% 5.4 CVSS 8.8
HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 72.9%.

RCE File Upload Qdpm
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Qdpm
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Qdpm
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Qdpm
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy