cbcvebase.
CVE-2023-45855
published 2023-10-14

CVE-2023-45855: qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI.

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.33%
87.1th percentile
qdPM 9.2 allows Directory Traversal to list files and directories by navigating to the /uploads URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
qdpmqdpm

Detection & IOCsextracted from sources · hover to see the quote

path/uploads/
otherhttp.favicon.hash:762074255
othericon_hash=762074255
  • HTTP GET request to /uploads/ returning HTTP 200 with body containing 'Index of /uploads' and 'attachments/' indicates successful directory traversal exploitation.
  • Identify exposed qdPM 9.2 instances via Shodan favicon hash 762074255 or FOFA icon_hash=762074255.
  • ·The vulnerability is unauthenticated (PR:N, UI:N) and network-accessible (AV:N), meaning no credentials are required to trigger directory listing at /uploads/.
  • ·Only qdPM version 9.2 is confirmed vulnerable per the CPE; other versions are not specified as affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.