{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25208", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-26T11:34:36.724Z", "datePublished": "2026-03-26T11:39:54.728Z", "dateUpdated": "2026-03-26T18:35:47.179Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:54.728Z"}, "datePublic": "2018-11-01T00:00:00.000Z", "title": "qdPM 9.1 SQL Injection via filter_by Parameters", "descriptions": [{"lang": "en", "value": "qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "affected": [{"vendor": "Qdpm", "product": "qdPM", "versions": [{"version": "9.1", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:qdpm:qdpm:9.2:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:qdpm:qdpm:8.3:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:qdpm:qdpm:9.0:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/45767", "name": "ExploitDB-45767", "tags": ["exploit"]}, {"url": "http://qdpm.net", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://qdpm.net/download-qdpm-free-project-management", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: qdPM 9.1 SQL Injection via filter_by Parameters", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters"}], "credits": [{"lang": "en", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:35:37.895482Z", "id": "CVE-2018-25208", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:35:47.179Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25208", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:35:37.895482Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:35:42.690Z"}}], "cna": {"title": "qdPM 9.1 SQL Injection via filter_by Parameters", "credits": [{"lang": "en", "type": "finder", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Qdpm", "product": "qdPM", "versions": [{"status": "affected", "version": "9.1"}]}], "datePublic": "2018-11-01T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/45767", "name": "ExploitDB-45767", "tags": ["exploit"]}, {"url": "http://qdpm.net", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://qdpm.net/download-qdpm-free-project-management", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters", "name": "VulnCheck Advisory: qdPM 9.1 SQL Injection via filter_by Parameters", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:qdpm:qdpm:9.2:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:qdpm:qdpm:8.3:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:qdpm:qdpm:9.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:54.728Z"}}}, "cveMetadata": {"cveId": "CVE-2018-25208", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:35:47.179Z", "dateReserved": "2026-03-26T11:34:36.724Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-26T11:39:54.728Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data."}], "id": "CVE-2018-25208", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-26T12:16:06.047", "references": [{"source": "disclosure@vulncheck.com", "url": "http://qdpm.net"}, {"source": "disclosure@vulncheck.com", "url": "http://qdpm.net/download-qdpm-free-project-management"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/45767"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T13:21:50.973009+00:00", "value": {"mitigation_remediation": ["Upgrade qdPM to the latest release that mitigates the timeReport injection flaw.", "If upgrade is not immediately possible, restrict external access to the timeReport endpoint or the rest of the application using firewall rules or network segmentation.", "Deploy a web application firewall or configure request filtering to block suspicious SQL payloads targeting the filter_by parameters.", "Review application logs for signs of injected queries and investigate any anomalies.", "Confirm that the vendor has released an update, and apply the official security release as soon as it becomes available."], "summary": {"action": "Patch Immediately", "impact": "Data Exfiltration via SQL Injection"}, "threat_synthesis": {"affected_systems": " Qdpm product, specifically versions 8.3, 9.0, 9.1, and 9.2. The product is commonly deployed by organizations relying on qdPM for project management tasks; any installation using these versions is potentially exposed if the timeReport endpoint is reachable from untrusted networks.", "description_and_impact": "qdPM 9.1, a project management solution, contains a critical SQL injection flaw in its timeReport endpoint. By submitting specially crafted POST requests with malicious input in the filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters, an attacker can inject arbitrary SQL code. This flaw allows unauthenticated users to read sensitive database records, potentially exposing confidential information. The weakness is a classic SQL injection (CWE-89).", "risk_and_exploitability": "The CVSS base score is 8.8, indicating a high severity risk. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely without authentication by sending POST requests to the timeReport URL from any external origin. Given the lack of authentication checks and the direct influence over SQL query formation, exploitation is straightforward for an adversary with network access to the application."}}}}, "created": "2026-03-26T13:54:42.540140+00:00", "updated": "2026-03-26T13:54:42.540178+00:00", "vendors": []}