9.1.1
CVE-2018-25208 describes a SQL Injection vulnerability present in qdPM version 9.1. This flaw allows unauthenticated attackers to extract sensitive database information, potentially compromising the integrity and confidentiality of the system. The vulnerability is triggered by manipulating filter parameters within the timeReport endpoint. A fix is available through upgrading to a patched version of qdPM.
The SQL Injection vulnerability in qdPM 9.1 poses a significant risk to organizations utilizing this software. An attacker can exploit this flaw by crafting malicious POST requests targeting the timeReport endpoint, specifically manipulating the filterby[CommentCreatedFrom] and filterby[CommentCreatedTo] parameters. Successful exploitation allows the attacker to inject arbitrary SQL queries, effectively bypassing authentication and gaining unauthorized access to the underlying database. This can lead to the exfiltration of sensitive data such as user credentials, financial records, and proprietary business information. The potential for lateral movement within the network is limited to the database server itself, but the blast radius is significant due to the potential for complete data compromise. While no direct precedent is explicitly mentioned, the impact aligns with the broader risks associated with SQL Injection vulnerabilities, where attackers can gain complete control over the database.
CVE-2018-25208 was published on 2026-03-26. The EPSS score is currently unavailable, making it difficult to assess the immediate exploitability risk. There are no publicly known proof-of-concept exploits available at this time. Given the relatively straightforward nature of SQL Injection vulnerabilities, it is prudent to assume that a PoC could be developed and deployed relatively quickly. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2018-25208 is to upgrade to a patched version of qdPM. Unfortunately, the specific fixed version is not provided. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Input validation on the filterby[CommentCreatedFrom] and filterby[CommentCreatedTo] parameters is crucial; strictly enforce data types and lengths to prevent SQL injection attempts. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection patterns targeting the timeReport endpoint can provide an additional layer of defense. Monitor application logs for suspicious SQL queries or error messages related to the timeReport endpoint. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple SQL query through the filter_by parameters and verifying that it is properly sanitized.
Update qdPM to a version later than 9.1 that addresses the SQL Injection vulnerability. If no version is available, it is recommended to apply a security patch that correctly filters and escapes the inputs of the filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters in the timeReport endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2018-25208 is a SQL Injection vulnerability in qdPM version 9.1, allowing unauthenticated attackers to extract database information through crafted POST requests to the timeReport endpoint.
If you are running qdPM version 9.1 and the timeReport endpoint is accessible, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to a patched version of qdPM. If an upgrade is not immediately possible, implement input validation and WAF rules as temporary mitigations.
There are currently no publicly known active exploitation campaigns, but the vulnerability's nature suggests potential for future exploitation.
Please consult the qdPM vendor's website or security advisory channels for the official advisory regarding CVE-2018-25208.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.