CVE-2019-8390
published 2019-05-14CVE-2019-8390: qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
PriorityP344medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
8.86%
94.6th percentile
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qdpm | qdpm | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting
exploitdb·2019-02-18·CVSS 6.1
CVE-2019-8390 [MEDIUM] qdPM 9.1 - 'search[keywords]' Cross-Site Scripting
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting
---
# Exploit Title: qdPM 9.1 - 'search[keywords]' XSS Injection
# CVE: CVE-2019-8390
# Date: 14-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://qdpm.net
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: v9.1
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description:
Free project management tool for small team
qdPM is a free web-based project management tool suitable for a small
team working on multiple projects.
It is fully configurable. You can easy manage Projects, Tasks and People.
Customers interact
using a Ticket System that is integrated into Task management.
# POC - XSS
# Parameters : search[keywords]
# Attack Pattern : e">zi2u(9111)
# POST Request : http://localhost/
Nuclei
qdPM 9.1 - Cross-site Scripting
nuclei·CVSS 6.1
CVE-2019-8390 [MEDIUM] qdPM 9.1 - Cross-site Scripting
qdPM 9.1 - Cross-site Scripting
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
Template:
id: CVE-2019-8390
info:
name: qdPM 9.1 - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
Upgrade to a patched version of qdPM or apply the necessary security patches provided by the vendor.
reference:
- https://www.exploit-db.com/exploits/46399/
- http://qdpm.net/download-qdpm-free-project-management
- htt
No writeups or analysis indexed.
http://packetstormsecurity.com/files/151723/qdPM-9.1-Cross-Site-Scripting.htmlhttp://qdpm.net/download-qdpm-free-project-managementhttp://sourceforge.net/projects/qdpmhttps://www.exploit-db.com/exploits/46399/http://packetstormsecurity.com/files/151723/qdPM-9.1-Cross-Site-Scripting.htmlhttp://qdpm.net/download-qdpm-free-project-managementhttp://sourceforge.net/projects/qdpmhttps://www.exploit-db.com/exploits/46399/
2019-05-14
Published