CVE-2020-11811

Name of the Vulnerable Software and Affected Versions: qdPM version 9.1

Description: The issue is related to unrestricted file upload in qdPM, allowing an attacker to upload a malicious .php file to the server. This can be achieved by exploiting the Add Profile Photo capability with a crafted content-type value. After uploading the malicious file, the attacker can execute arbitrary commands on the server. The vulnerability can be exploited by a remote attacker to execute arbitrary code on the target system by uploading a specially crafted malicious PHP file.

Recommendations: For qdPM version 9.1, consider disabling the file upload capability, specifically the Add Profile Photo feature, until a patch is available to prevent exploitation. Restrict access to file upload functions to minimize the risk of malicious file uploads. Avoid using the file upload feature with unvalidated or unverified content-type values to prevent arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.