cbcvebase.
CVE-2015-3884
published 2017-03-17

CVE-2015-3884: Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.40%
96.2th percentile
Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/.

Affected

1 ranges
VendorProductVersion rangeFixed in
qdpmqdpm<= 9.1

Detection & IOCsextracted from sources · hover to see the quote

pathuploads/attachments/
pathuploads/users/
  • Monitor for file uploads with executable extensions to the uploads/attachments/ and uploads/users/ directories in qdPM installations, followed by direct HTTP GET requests to those paths — this two-stage pattern (upload then access) is the exploitation sequence.
  • The qdPM 9.1 bypass variant abuses the users['photop_preview'] delete photo feature with a path traversal to circumvent .htaccess protections and upload malicious PHP files via the profile photo functionality.
  • Alert on authenticated POST requests uploading PHP or other executable files through the profile photo upload endpoint in qdPM, as this is the specific attack vector used for RCE.
  • The vulnerability is exploitable across multiple qdPM pages: myAccount, projects, tasks, tickets, discussions, reports, and scheduler — monitor file upload activity on all these endpoints.
  • The qdPM upload_exec Metasploit module targets the user profile photo upload feature; detect exploitation attempts by correlating authenticated sessions with multipart file upload requests containing executable file extensions.
  • ·CVE-2015-3884 was incompletely fixed; qdPM 9.1 and earlier remain vulnerable via the path traversal bypass of .htaccess, meaning patching to versions between 8.3 and 9.1 may not fully remediate the issue.
  • ·Exploitation requires valid credentials to the qdPM application; detections should account for authenticated attacker sessions, not just anonymous upload attempts.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.