Description

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.

Remediation

References

CVE-2020-26166

Related Vulnerabilities

MySQL Resource Management Errors Vulnerability (CVE-2012-2749)

WordPress Plugin Welcart e-Commerce PHP Object Injection (1.9.3)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2018-3245)

PHP Out-of-bounds Read Vulnerability (CVE-2019-9024)

Jetty Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-34429)

Severity

Medium

Classification

CVE-2020-26166 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities