CVE-2020-26166

Name of the Vulnerable Software and Affected Versions qdPM version 9.1

Description The file upload functionality in qdPM does not check the file description, allowing remote authenticated attackers to inject web script or HTML via the attachments info parameter. This issue can occur during the creation of a ticket, project, or task.

Recommendations For qdPM version 9.1, consider disabling the file upload functionality until a patch is available to prevent exploitation. Restrict access to the file upload feature to minimize the risk of injection attacks. Avoid using the attachments info parameter in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.