Description

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.

Remediation

References

CVE-2020-26165

Related Vulnerabilities

MySQL CVE-2015-4771 Vulnerability (CVE-2015-4771)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-1155)

PHP Use After Free Vulnerability (CVE-2014-3622)

WordPress Plugin DMSGuestbook Multiple Remote Vulnerabilities (1.8.0)

WordPress Plugin Import Spreadsheets from Microsoft Excel Cross-Site Scripting (10.1.3)

Severity

High

Classification

CVE-2020-26165 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities