CVE-2015-3884

HIGH

qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-3884. PoCs published by Rishal Dwivedi (Loginsoft), Leon Trappett (thepcn3rd), Giacomo Casoni, loneferret, sinn3r, including Metasploit module exploits/multi/http/qdpm_authenticated_rce.

AI-analyzed exploit summary This Metasploit module exploits an authenticated arbitrary PHP file upload vulnerability in qdPM 9.1 and earlier. It leverages a path traversal flaw in the profile photo functionality to bypass .htaccess protection and achieve remote code execution.

Description

Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/.

Exploits (2)

metasploit WORKING POC EXCELLENT

by Rishal Dwivedi (Loginsoft), Leon Trappett (thepcn3rd), Giacomo Casoni · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/qdpm_authenticated_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated arbitrary PHP file upload vulnerability in qdPM 9.1 and earlier. It leverages a path traversal flaw in the profile photo functionality to bypass .htaccess protection and achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM 9.1 and earlier

Auth required

Prerequisites: Valid credentials for a qdPM user account

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by loneferret, sinn3r · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/qdpm_upload_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an arbitrary PHP file upload vulnerability in qdPM v7 via the user profile photo upload feature, allowing remote code execution. It requires valid credentials for authentication.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM v7

Auth required

Prerequisites: Valid credentials for qdPM · Access to the web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

http://rossmarks.uk/whitepapers/qdPM_8.3.txt

Third Party Advisory x_refsource_misc

http://rossmarks.uk/portfolio.php

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/168559/qdPM-9.1-Authenticated-Shell-Upload.html

Scores

CVSS v3 8.8

EPSS 0.7292

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

qdpm/qdpm < 9.1

Published Mar 17, 2017

Tracked Since Feb 18, 2026