CVE-2020-7246

Name of the Vulnerable Software and Affected Versions qdPM versions 9.1 and earlier

Description A remote code execution issue exists, allowing an attacker to upload malicious PHP code via the profile photo functionality. This is possible due to a path traversal vulnerability in the users['photop preview'] delete photo feature, which enables bypassing .htaccess protection.

Recommendations For qdPM versions 9.1 and earlier, as a temporary workaround, consider disabling the profile photo upload feature until a patch is available. Restrict access to the users['photop preview'] delete photo feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.