CVE-2020-26166
Last modified
CVE-2020-26166 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.. EPSS estimates a 0.84% chance of exploitation in the next 30 days.
Description
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Qdpm | Qdpm | 9.1 |
References
- http://qdpm.net/qdpm-release-notes-free-project-managementRelease Notes, Vendor Advisory
- https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.mdThird Party Advisory
- https://sourceforge.net/projects/qdpm/Product, Third Party Advisory
- http://qdpm.net/qdpm-release-notes-free-project-managementRelease Notes, Vendor Advisory
- https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.mdThird Party Advisory
- https://sourceforge.net/projects/qdpm/Product, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-26166?
How severe is CVE-2020-26166?
How do I fix CVE-2020-26166?
Are you affected by CVE-2020-26166?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST