CVE-2020-26165
HIGH WAF: Medium
CVSS 8.8
Published: 2020-12-31
CWE-502
qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| qdpm | qdpm | up to 9.1 |
References
- packetstormsecurity.com (Exploit, Third Party Advisory, VDB Entry)
- qdpm.net (Vendor Advisory)
- seclists.org (Exploit, Mailing List, Third Party Advisory)