Primary

Context

qdPM SQL Injection Vulnerability in Users Endpoint

Vulnerability

A SQL injection vulnerability has been identified in qdPM version 9.1. This vulnerability allows attackers to inject SQL code through the 'search_by_extrafields[]' parameter in POST requests to the users endpoint. Exploitation of this vulnerability can trigger SQL syntax errors and potentially allow for extraction of database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, send a POST request to the 'qdpm/index.php/users' endpoint. Include the 'search_by_extrafields[]' parameter with a value that will trigger a SQL syntax error. The response should indicate a SQL syntax error, confirming the injection was successful.

Added: Apr 5, 2026, 9:44 PM

Updated: Apr 5, 2026, 9:44 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

9.5

remediation

0.0

relevance

5.3

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

9.5

remediation

0.0

relevance

5.3

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

qdPM SQL Injection Vulnerability in Users Endpoint

Vulnerability

Impact

Reproduction

Affected Products

qdPM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating