Description

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.

Remediation

References

CVE-2020-26165

Related Vulnerabilities

WordPress Plugin Coming Soon Page & Maintenance Mode Cross-Site Request Forgery (1.7.8)

WordPress Plugin WordPress Calls to Action Cross-Site Scripting (2.2.7)

WordPress Plugin Current Book Cross-Site Scripting (1.0.1)

WordPress Plugin WP Fastest Cache Arbitrary File Deletion (0.8.9.0)

Oracle Application Server CVE-2009-0996 Vulnerability (CVE-2009-0996)

Severity

High

Classification

CVE-2020-26165 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities