Description

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.

Remediation

References

CVE-2020-26165

Related Vulnerabilities

MyBB Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-2324)

MySQL CVE-2012-0494 Vulnerability (CVE-2012-0494)

Drupal Core 4.6.x Cross-Site Scripting (4.6.0 - 4.6.7)

Roundcube Improper Input Validation Vulnerability (CVE-2011-1491)

WordPress 5.1.x Multiple Vulnerabilities (5.1 - 5.1.1)

Severity

High

Classification

CVE-2020-26165 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities