Description

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.

Remediation

References

CVE-2020-26165

Related Vulnerabilities

WordPress Plugin Live Search for WooCommerce Security Bypass (2.0.2)

Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-0059)

Oracle Application Server Other Vulnerability (CVE-2004-1774)

MyBB Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-19049)

WordPress Plugin Content text slider on post Cross-Site Scripting (6.8)

Severity

High

Classification

CVE-2020-26165 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities