Plattform
php
Komponente
qdpm
Behoben in
9.1.1
CVE-2018-25208 describes a SQL Injection vulnerability present in qdPM version 9.1. This flaw allows unauthenticated attackers to extract sensitive database information, potentially compromising the integrity and confidentiality of the system. The vulnerability is triggered by manipulating filter parameters within the timeReport endpoint. A fix is available through upgrading to a patched version of qdPM.
An attacker exploiting CVE-2018-25208 can extract sensitive data from the qdPM database by injecting malicious SQL code into the 'filterby[CommentCreatedFrom]' and 'filterby[CommentCreatedTo]' parameters. This could include user credentials, configuration data, and other sensitive information. The attacker can then use this information to compromise the system further, gain unauthorized access, or launch other attacks. The attack vector involves crafting malicious POST requests to the timeReport endpoint.
CVE-2018-25208 was published on 2026-03-26. Exploitation probability is currently unknown. Public proof-of-concept (POC) code may exist or emerge, increasing the risk of exploitation. Review the NVD and CISA advisories for updates and potential indicators of compromise (IOCs).
Organizations deploying qdPM version 9.1 are at direct risk. Specifically, environments where the timeReport endpoint is exposed to the internet or accessible to untrusted users are particularly vulnerable. Shared hosting environments utilizing qdPM 9.1 should be considered high-risk due to the potential for cross-tenant exploitation.
• php / web:
grep -r "filter_by[CommentCreatedFrom]" /var/www/qdPM/timeReport.php• generic web:
curl -X POST -d "filter_by[CommentCreatedFrom]='; DROP TABLE users; --" http://your-qdpm-server/timeReport• generic web: Examine access logs for POST requests to /timeReport with unusual or malformed filter_by parameters.
• generic web: Check response headers for SQL errors or unexpected behavior after submitting crafted requests.
disclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2018-25208 is to upgrade to a patched version of qdPM. If an upgrade is not immediately possible, implement temporary workarounds. These include strict input validation on the 'filterby[CommentCreatedFrom]' and 'filterby[CommentCreatedTo]' parameters, ensuring all user-supplied input is properly sanitized before being used in SQL queries. Consider deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting these parameters. Monitor database logs for suspicious activity.
Actualizar qdPM a una versión posterior a la 9.1 que solucione la vulnerabilidad de inyección SQL. Si no hay una versión disponible, se recomienda aplicar un parche de seguridad que filtre y escape correctamente las entradas de los parámetros filter_by[CommentCreatedFrom] y filter_by[CommentCreatedTo] en el endpoint timeReport.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2018-25208 is a SQL Injection vulnerability in qdPM version 9.1, allowing unauthenticated attackers to extract database information through crafted POST requests to the timeReport endpoint.
If you are running qdPM version 9.1 and the timeReport endpoint is accessible, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to a patched version of qdPM. If an upgrade is not immediately possible, implement input validation and WAF rules as temporary mitigations.
There are currently no publicly known active exploitation campaigns, but the vulnerability's nature suggests potential for future exploitation.
Please consult the qdPM vendor's website or security advisory channels for the official advisory regarding CVE-2018-25208.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.