Description

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.

Remediation

References

CVE-2020-26166

Related Vulnerabilities

PHP Release of Invalid Pointer or Reference Vulnerability (CVE-2022-31625)

Oracle Database Server CVE-2019-2776 Vulnerability (CVE-2019-2776)

WordPress Plugin Thrive Ultimatum Security Bypass (2.3.9.3)

WordPress Plugin Booking Calendar Contact Form Cross-Site Scripting (1.0.24)

WordPress Plugin Integration for Contact Form 7 and Salesforce Cross-Site Scripting (1.2.4)

Severity

Medium

Classification

CVE-2020-26166 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities