Ross Marks

**Name of the Vulnerable Software and Affected Versions** GetSimple CMS version 3.3.4 **Description** The issue allows remote attackers to obtain sensitive information via a direct request to API endpoints such as "plugins/anonymous data.php" or "plugins/InnovationPlugin.php", which reveals the installation path in an error message. **Recommendations** For GetSimple CMS version 3.3.4, consider restricting access to the "plugins/anonymous data.php" and "plugins/InnovationPlugin.php" files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** qdPM version 8.3 **Description** The issue allows remote attackers to obtain sensitive information via a direct request to specific files, including (1) "core/config/databases.yml", (2) "core/log/qdPM prod.log", or (3) "core/apps/qdPM/config/settings.yml". **Recommendations** For qdPM version 8.3, restrict access to the sensitive files "core/config/databases.yml", "core/log/qdPM prod.log", and "core/apps/qdPM/config/settings.yml" to minimize the risk of information disclosure.

**Name of the Vulnerable Software and Affected Versions** qdPM version 8.3 **Description** The issue allows remote attackers to obtain sensitive information. This is achieved by providing an invalid `ID` value to the "index.php/users/info/id/[ID]" endpoint, which results in an error message that reveals the installation path. **Recommendations** For qdPM version 8.3, consider restricting access to the "index.php/users/info/id/[ID]" endpoint until a patch is available. As a temporary workaround, avoid using invalid `ID` values in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** qdPM version 8.3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including the `search[keywords]` parameter to "index.php/users" page, the "Name of application" on "index.php/configuration", a new project name on "index.php/projects", the task name on "index.php/tasks", ticket name on "index.php/tickets", discussion name on "index.php/discussions", report name on "index.php/projectReports", or event name on "index.php/scheduler/personal". **Recommendations** For qdPM version 8.3, consider restricting access to the mentioned API endpoints until a patch is available. As a temporary workaround, avoid using the vulnerable parameters, such as `search[keywords]`, in the affected pages. Restrict input for the "Name of application", new project name, task name, ticket name, discussion name, report name, and event name fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** qdPM version 8.3 **Description** The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension to various pages in qdPM, including `myAccount`, `projects`, `tasks`, `tickets`, `discussions`, `reports`, and `scheduler`. The attacker can then access the uploaded file directly via a request to the file in `uploads/attachments/` or `uploads/users/`, potentially leading to code execution. **Recommendations** For qdPM version 8.3, consider restricting file uploads to only allow non-executable file extensions as a temporary workaround until a patch is available. Restrict access to the `uploads/attachments/` and `uploads/users/` directories to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.