Vulnerability Details CVE-2020-26166
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.1%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
- http://qdpm.net/qdpm-release-notes-free-project-management
- https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md
- https://sourceforge.net/projects/qdpm/
- http://qdpm.net/qdpm-release-notes-free-project-management
- https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md
- https://sourceforge.net/projects/qdpm/