Vendor
qdPM version 9.1 is vulnerable to SQL injection, allowing unauthenticated attackers to extract sensitive database information by injecting malicious SQL code into the filter_by parameters of the timeReport endpoint.