CVE-2020-26166

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
qdpmqdpm
9.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://qdpm.net/qdpm-release-notes-free-project-management
https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md
https://sourceforge.net/projects/qdpm/
http://qdpm.net/qdpm-release-notes-free-project-management
https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md
https://sourceforge.net/projects/qdpm/