Описание
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.
Ссылки
- Release NotesVendor Advisory
- Third Party Advisory
- ProductThird Party Advisory
- Release NotesVendor Advisory
- Third Party Advisory
- ProductThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*
EPSS
Процентиль: 49%
0.00261
Низкий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
Связанные уязвимости
github
больше 3 лет назад
The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.
EPSS
Процентиль: 49%
0.00261
Низкий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79