CVE-2018-25208 - Vulnerability Analysis

Overview

qdPM 9.1 contains an sql injection caused by improper sanitization of filter_by parameters in the timeReport endpoint, letting unauthenticated attackers extract database information via crafted POST requests.

Severity & Score

Impact

Unauthenticated attackers can extract sensitive database information, leading to data disclosure and potential further compromise.

Mitigation

Update to the latest version of qdPM.

References

• https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters
• http://qdpm.net
• http://qdpm.net/download-qdpm-free-project-management
• https://www.exploit-db.com/exploits/45767

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner