CVE-2020-26166 - OpenCVE

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qdpm	Qdpm

Configuration 1 [-]

cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://qdpm.net/qdpm-release-notes-free-project-management
https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md
https://sourceforge.net/projects/qdpm/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-10-05T12:00:35

Updated: 2024-08-04T15:49:07.126Z

Reserved: 2020-09-30T00:00:00

Link: CVE-2020-26166

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-10-05T12:15:12.460

Modified: 2020-10-13T15:59:45.890

Link: CVE-2020-26166

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-05T12:00:35", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://qdpm.net/qdpm-release-notes-free-project-management"}, {"tags": ["x_refsource_MISC"], "url": "https://sourceforge.net/projects/qdpm/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-26166", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://qdpm.net/qdpm-release-notes-free-project-management", "refsource": "MISC", "url": "http://qdpm.net/qdpm-release-notes-free-project-management"}, {"name": "https://sourceforge.net/projects/qdpm/", "refsource": "MISC", "url": "https://sourceforge.net/projects/qdpm/"}, {"name": "https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md", "refsource": "MISC", "url": "https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:07.126Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://qdpm.net/qdpm-release-notes-free-project-management"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sourceforge.net/projects/qdpm/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-26166", "datePublished": "2020-10-05T12:00:35", "dateReserved": "2020-09-30T00:00:00", "dateUpdated": "2024-08-04T15:49:07.126Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*", "matchCriteriaId": "55B48FE9-A849-4504-8089-74DE16F82F3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task."}, {"lang": "es", "value": "La funcionalidad file upload en qdPM versi\u00f3n 9.1, no comprueba la descripci\u00f3n del archivo, lo que permite a atacantes autentificados remotos inyectar un script web o HTML por medio del par\u00e1metro attachments info, tambi\u00e9n se conoce como un XSS. Esto puede ocurrir durante la creaci\u00f3n de un ticket, proyecto o tarea"}], "id": "CVE-2020-26166", "lastModified": "2020-10-13T15:59:45.890", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-05T12:15:12.460", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://qdpm.net/qdpm-release-notes-free-project-management"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://sourceforge.net/projects/qdpm/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}