Description
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
http://qdpm.net/qdpm-release-notes-free-project-management
Product, Third Party Advisory x_refsource_misc
https://sourceforge.net/projects/qdpm/
Third Party Advisory x_refsource_misc
https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md
Scores
CVSS v3
5.4
EPSS
0.0026
EPSS Percentile
49.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
qdpm/qdpm
9.1
Published
Oct 05, 2020
Tracked Since
Feb 18, 2026