qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)
A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users'photoppreview' delete photo feature, allowing bypass of .htaccess protection...