Description

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.

Remediation

References

CVE-2020-26165

Related Vulnerabilities

Coppermine Cross-site Scripting (XSS) Vulnerability (CVE-2018-14478)

Joomla Improper Authentication Vulnerability (CVE-2014-6632)

IBM WebSEAL Inadequate Encryption Strength Vulnerability (CVE-2019-4151)

Oracle Application Server Other Vulnerability (CVE-2009-0217)

CKEditor Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2021-26271)

Severity

High

Classification

CVE-2020-26165 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities