CVE-2020-26165

HIGH

Qdpm < 9.1 - Insecure Deserialization

Title source: rule

Description

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.

References (3)

Scores

CVSS v3 8.8
EPSS 0.0113
EPSS Percentile 78.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (1)

qdpm/qdpm < 9.1

Timeline

Published Dec 31, 2020
Tracked Since Feb 18, 2026