CVE-2020-26166

Published: Oct 5, 2020Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.

Affected (1)

Products: Qdpm: Qdpm

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Qdpm Qdpm	Version 9.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

http://qdpm.net/qdpm-release-notes-free-project-management

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md

Source: cve@mitre.org

Third Party Advisory

https://sourceforge.net/projects/qdpm/

Source: cve@mitre.org

ProductThird Party Advisory

http://qdpm.net/qdpm-release-notes-free-project-management

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://sourceforge.net/projects/qdpm/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

Timeline

No history available yet.