CVE-2018-25208 — HIGH (8.2)

Q: How severe is CVE-2018-25208?

CVE-2018-25208 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-25208?

Check the references section above for vendor advisories and patch information. Affected products include: Qdpm Qdpm.

Vulnerability Description

qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Qdpm	Qdpm	<= 9.1

Related Weaknesses (CWE)

CWE-89

References

http://qdpm.netProduct
http://qdpm.net/download-qdpm-free-project-managementProduct
https://www.exploit-db.com/exploits/45767ExploitThird Party Advisory
https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parametersVendor Advisory

FAQ

What is CVE-2018-25208?

CVE-2018-25208 is a vulnerability with a CVSS score of 8.2 (HIGH). qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit maliciou...

How severe is CVE-2018-25208?

CVE-2018-25208 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-25208?

Check the references section above for vendor advisories and patch information. Affected products include: Qdpm Qdpm.