CVE-2020-26166
[Suggested description]
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
Qdpm
[Affected Product Code Base]
Qdpm - 9.1
[Affected Component]
File upload in functionality of creating tickets, projects and tasks.
[Attack Type]
Remote
[Impact Code execution]
true
[Attack Vectors]
To exploit the vulnerability, an attacker with standard user rights must upload the file and change its description to arbitrary javascript code. For example - <svg/onload=alert("Attachment info XSS")>.
The vulnerability is contained in the functionality of creating tickets, projects and tasks.
[Reference]
https://sourceforge.net/projects/qdpm/ http://qdpm.net/qdpm-release-notes-free-project-management
[Discoverer]
Vladimir Rotanov (Jet Infosystems (jet.su), Moscow, Russia)