{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/qdpm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["qdPM"],"_cs_severities":["critical"],"_cs_tags":["sqli","cve-2018-25208","qdpm"],"_cs_type":"advisory","_cs_vendors":["qdPM"],"content_html":"\u003cp\u003eqdPM 9.1 is susceptible to an SQL injection vulnerability (CVE-2018-25208) that enables unauthenticated attackers to extract database information. This vulnerability is located in the timeReport endpoint and is triggered by manipulating the filter_by parameters. By sending specially crafted POST requests containing malicious SQL code within the \u003ccode\u003efilter_by[CommentCreatedFrom]\u003c/code\u003e and \u003ccode\u003efilter_by[CommentCreatedTo]\u003c/code\u003e parameters, attackers can bypass authentication and execute arbitrary SQL queries. Successful exploitation leads to the unauthorized extraction of sensitive data stored within the qdPM database. This vulnerability poses a significant risk to organizations using qdPM 9.1, potentially exposing confidential project management data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a qdPM 9.1 instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/timeReport\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003efilter_by[CommentCreatedFrom]\u003c/code\u003e and \u003ccode\u003efilter_by[CommentCreatedTo]\u003c/code\u003e parameters within the POST request. The injected SQL code is designed to extract sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious POST request to the vulnerable qdPM instance.\u003c/li\u003e\n\u003cli\u003eThe qdPM application fails to properly sanitize the input provided in the \u003ccode\u003efilter_by\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the qdPM database.\u003c/li\u003e\n\u003cli\u003eThe database returns the results of the injected SQL query to the application.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the extracted data in the HTTP response, potentially including usernames, passwords, project details, and other sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows unauthenticated attackers to extract sensitive information from the qdPM database. This can include usernames, passwords, project details, customer data, and financial information. The impact can range from data breaches and financial losses to reputational damage and legal liabilities. Due to the unauthenticated nature of the vulnerability, all qdPM 9.1 installations exposed to the internet are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patches or upgrade to a secure version of qdPM to remediate CVE-2018-25208.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data, especially within the \u003ccode\u003efilter_by\u003c/code\u003e parameters of the \u003ccode\u003etimeReport\u003c/code\u003e endpoint, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect malicious POST requests with SQL injection attempts targeting the \u003ccode\u003etimeReport\u003c/code\u003e endpoint in your web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual POST requests to \u003ccode\u003e/timeReport\u003c/code\u003e with potentially malicious SQL code in the \u003ccode\u003efilter_by\u003c/code\u003e parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-qdpm-sqli/","summary":"qdPM version 9.1 is vulnerable to SQL injection, allowing unauthenticated attackers to extract sensitive database information by injecting malicious SQL code into the filter_by parameters of the timeReport endpoint.","title":"qdPM 9.1 SQL Injection Vulnerability (CVE-2018-25208)","url":"https://feed.craftedsignal.io/briefs/2024-01-qdpm-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Qdpm","version":"https://jsonfeed.org/version/1.1"}