Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2020-26166

[Suggested description]

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.

[Vulnerability Type]

Cross Site Scripting (XSS)

[Vendor of Product]

Qdpm

[Affected Product Code Base]

Qdpm - 9.1

[Affected Component]

File upload in functionality of creating tickets, projects and tasks.

[Attack Type]

Remote

[Impact Code execution]

true

[Attack Vectors]

To exploit the vulnerability, an attacker with standard user rights must upload the file and change its description to arbitrary javascript code. For example - <svg/onload=alert("Attachment info XSS")>.

The vulnerability is contained in the functionality of creating tickets, projects and tasks.

[Reference]

https://sourceforge.net/projects/qdpm/ http://qdpm.net/qdpm-release-notes-free-project-management

[Discoverer]

Vladimir Rotanov (Jet Infosystems (jet.su), Moscow, Russia)