CVE-2018-25208
Received Received - Intake
SQL Injection in qdPM 9.1 Allows Unauthenticated Data Extraction

Publication date: 2026-03-26

Last updated on: 2026-04-20

Assigner: VulnCheck

Description
qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25208
EUVD
EUVD-2018-21675
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qdpm qdpm to 9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2018-25208 is an SQL injection vulnerability found in qdPM version 9.1, a free web-based project management tool. This vulnerability allows unauthenticated attackers to inject malicious SQL code through the filter_by parameters, specifically filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo], in POST requests to the timeReport endpoint.

By exploiting this flaw, attackers can execute arbitrary SQL queries on the database, enabling them to extract sensitive information. Various SQL injection techniques can be used, including Boolean-based blind SQL Injection, error-based SQL Injection, stacked queries, time-based blind SQL Injection, and UNION-based SQL Injection.

This vulnerability allows attackers to retrieve all database information, potentially compromising the confidentiality and integrity of the application’s data.

Impact Analysis

This vulnerability can have serious impacts as it allows remote, unauthenticated attackers to extract sensitive data from the qdPM database by executing arbitrary SQL commands.

  • Exposure of confidential project management data stored in the database.
  • Potential compromise of data integrity due to execution of arbitrary SQL queries.
  • Unauthorized access to sensitive information without any authentication.
  • Possible further exploitation using advanced SQL injection techniques such as stacked queries and time-based attacks.
Detection Guidance

This SQL injection vulnerability in qdPM 9.1 can be detected by sending crafted POST requests to the /index.php/timeReport endpoint with malicious payloads in the filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters.

Detection techniques include using Boolean-based blind SQL Injection, error-based SQL Injection, stacked queries, time-based blind SQL Injection, and UNION-based SQL Injection to verify if the application is vulnerable.

Example commands involve sending POST requests with SQL payloads that cause time delays or error messages, such as using the MySQL SLEEP(5) function or EXTRACTVALUE to trigger errors, which indicate vulnerability.

  • Send a POST request to /index.php/timeReport with filter_by[CommentCreatedFrom]=1' OR SLEEP(5)-- and filter_by[CommentCreatedTo]=1 to test for time-based blind SQL Injection.
  • Use error-based payloads like filter_by[CommentCreatedFrom]=1' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT database()), 0x7e))-- to trigger database error messages revealing information.
  • Attempt UNION-based SQL Injection by injecting payloads that combine SELECT statements to retrieve database data.
Mitigation Strategies

Immediate mitigation steps include restricting or filtering input to the filter_by parameters to prevent SQL injection.

Apply input validation and use parameterized queries or prepared statements in the application code to avoid direct injection of SQL commands.

If possible, update qdPM to a version later than 9.1 where this vulnerability is fixed or apply any available patches from the vendor.

Additionally, monitor and block suspicious POST requests to the /index.php/timeReport endpoint that contain unusual or malicious payloads in the filter_by parameters.

Compliance Impact

The SQL injection vulnerability in qdPM 9.1 allows unauthenticated attackers to extract sensitive database information by injecting malicious SQL code. This unauthorized access to sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access and breaches.

Because attackers can retrieve sensitive data from the database without authentication, organizations using vulnerable versions of qdPM may face compliance risks related to confidentiality, data integrity, and privacy requirements mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart