2 matches found
Path traversal
A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users'photoppreview' delete photo feature, allowing bypass of .htaccess protection...
CVE-2015-3884
qdPM contains an unrestricted file upload vulnerability (affecting 8.3 and earlier) that lets remote attackers upload executable files and access them via uploads/attachments/ or uploads/users/ to achieve RCE. The issue arises from allowing executable extensions and direct file access; Metasploit...