Lucene search

[email protected]NVD:CVE-2020-26166

HistoryOct 05, 2020 - 12:15 p.m.

CVE-2020-26166

2020-10-0512:15:12

CWE-79

[email protected]

web.nvd.nist.gov

file upload

qdpm 9.1

remote authenticated attackers

web script injection

html injection

xss

ticket creation

project creation

task creation

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

30.3%

JSON

The file upload functionality in qdPM 9.1 doesn’t check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.

Affected configurations

Nvd

Node

qdpmqdpmMatch9.1

VendorProductVersionCPE
qdpmqdpm9.1cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
qdpm	qdpm	9.1	cpe:2.3:a:qdpm:qdpm:9.1:::::::*

References

qdpm.net/qdpm-release-notes-free-project-management

github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md

sourceforge.net/projects/qdpm/

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

30.3%

JSON

Related for NVD:CVE-2020-26166

cve1 prion1 cvelist1