CVE-2018-25208

qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter by[CommentCreatedFrom] and filter by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.