CVE-2020-26166

EUVD-2020-18791
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
qdpmqdpm
9.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://qdpm.net/qdpm-release-notes-free-project-management
https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md
https://sourceforge.net/projects/qdpm/
http://qdpm.net/qdpm-release-notes-free-project-management
https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md
https://sourceforge.net/projects/qdpm/