CVE-2018-25208

qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://qdpm.net	Product
http://qdpm.net/download-qdpm-free-project-management	Product
https://www.exploit-db.com/exploits/45767	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:qdpm:qdpm:*:*:*:*:*:*:*:*

History

20 Apr 2026, 14:09

Type	Values Removed	Values Added
CPE		cpe:2.3:a:qdpm:qdpm::::::::
First Time		Qdpm Qdpm qdpm
Summary		(es) qdPM 9.1 contiene una vulnerabilidad de inyección SQL que permite a atacantes no autenticados extraer información de la base de datos inyectando código SQL a través de los parámetros filter_by. Los atacantes pueden enviar solicitudes POST maliciosas al endpoint timeReport con parámetros filter_by[CommentCreatedFrom] y filter_by[CommentCreatedTo] manipulados para ejecutar consultas SQL arbitrarias y recuperar datos sensibles.
References	~~() http://qdpm.net -~~	() http://qdpm.net - Product
References	~~() http://qdpm.net/download-qdpm-free-project-management -~~	() http://qdpm.net/download-qdpm-free-project-management - Product
References	~~() https://www.exploit-db.com/exploits/45767 -~~	() https://www.exploit-db.com/exploits/45767 - Exploit, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters -~~	() https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters - Vendor Advisory

26 Mar 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 12:16

Updated : 2026-04-20 14:09

NVD link : CVE-2018-25208

Mitre link : CVE-2018-25208

CVE.ORG link : CVE-2018-25208

JSON object : View

Products Affected

qdpm

qdpm

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.2 /10