CVE-2015-3883

Name of the Vulnerable Software and Affected Versions qdPM version 8.3

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including the search[keywords] parameter to "index.php/users" page, the "Name of application" on "index.php/configuration", a new project name on "index.php/projects", the task name on "index.php/tasks", ticket name on "index.php/tickets", discussion name on "index.php/discussions", report name on "index.php/projectReports", or event name on "index.php/scheduler/personal".

Recommendations For qdPM version 8.3, consider restricting access to the mentioned API endpoints until a patch is available. As a temporary workaround, avoid using the vulnerable parameters, such as search[keywords], in the affected pages. Restrict input for the "Name of application", new project name, task name, ticket name, discussion name, report name, and event name fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.