17 matches found
EUVD-2015-3916
Malware in sbrugna...
EUVD-2015-3919
Malware in sbrugna...
qdPM Arbitrary File Upload Vulnerability
qdPM is a free , open source based on Symfony framework using PHP and MySQL development project management system . An arbitrary file upload vulnerability exists in several pages in qdPM version 8.3. A remote attacker can exploit this vulnerability by sending a direct request to...
CVE-2015-3884
Unrestricted file upload vulnerability in the 1 myAccount, 2 projects, 3 tasks, 4 tickets, 5 discussions, 6 reports, and 7 scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the...
CVE-2015-3881
Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to 1 core/config/databases.yml, 2 core/log/qdPMprod.log, or 3 core/apps/qdPM/config/settings.yml...
CVE-2015-3882
qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/ID, which reveals the installation path in an error message...
Design/Logic Flaw
qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/ID, which reveals the installation path in an error message...
Unrestricted file upload
Unrestricted file upload vulnerability in the 1 myAccount, 2 projects, 3 tasks, 4 tickets, 5 discussions, 6 reports, and 7 scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the...
CVE-2015-3883
Multiple cross-site scripting XSS vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the 1 searchkeywords parameter to index.php/users page; the 2 "Name of application" on index.php/configuration; 3 a new project name on index.php/projects; 4 the task na...
Cross site scripting
Multiple cross-site scripting XSS vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the 1 searchkeywords parameter to index.php/users page; the 2 "Name of application" on index.php/configuration; 3 a new project name on index.php/projects; 4 the task na...
CVE-2015-3881
Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to 1 core/config/databases.yml, 2 core/log/qdPMprod.log, or 3 core/apps/qdPM/config/settings.yml...
CVE-2015-3884
Unrestricted file upload vulnerability in the 1 myAccount, 2 projects, 3 tasks, 4 tickets, 5 discussions, 6 reports, and 7 scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the...
CVE-2015-3882
qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/ID, which reveals the installation path in an error message...
CVE-2015-3883
Multiple cross-site scripting XSS vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the 1 searchkeywords parameter to index.php/users page; the 2 "Name of application" on index.php/configuration; 3 a new project name on index.php/projects; 4 the task na...
CVE-2015-3884
qdPM contains an unrestricted file upload vulnerability (affecting 8.3 and earlier) that lets remote attackers upload executable files and access them via uploads/attachments/ or uploads/users/ to achieve RCE. The issue arises from allowing executable extensions and direct file access; Metasploit...
CVE-2015-3883
qdPM 8.3 is affected by multiple cross-site scripting (XSS) vulnerabilities. The issues allow remote attackers to inject arbitrary web script or HTML via various user-controlled inputs, including: search[keywords] on index.php/users, the Name of application on index.php/configuration, new project...
CVE-2015-3881
CVE-2015-3881 affects qdPM 8.3 and is an information disclosure issue. Multiple sources (NVD/CNVD entries) describe that an attacker can obtain sensitive information by forcing or performing a direct request to one of three files: core/config/databases.yml, core/log/qdPM_prod.log, or core/apps/qd...