CVE-2015-3884

Name of the Vulnerable Software and Affected Versions qdPM version 8.3

Description The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension to various pages in qdPM, including myAccount, projects, tasks, tickets, discussions, reports, and scheduler. The attacker can then access the uploaded file directly via a request to the file in uploads/attachments/ or uploads/users/, potentially leading to code execution.

Recommendations For qdPM version 8.3, consider restricting file uploads to only allow non-executable file extensions as a temporary workaround until a patch is available. Restrict access to the uploads/attachments/ and uploads/users/ directories to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.