2020-01-21 15:15:00 2020-01-29 18:14:00

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL