Description

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.

Remediation

References

CVE-2020-26166

Related Vulnerabilities

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4304)

WordPress Plugin AppPresser-Mobile App Framework Security Bypass (4.3.2)

MySQL CVE-2017-10284 Vulnerability (CVE-2017-10284)

WordPress Plugin JTRT Responsive Tables SQL Injection (4.1)

WordPress Plugin Lazyest Gallery EXIF Code Cross-Site Scripting (1.1.20)

Severity

Medium

Classification

CVE-2020-26166 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities