CVE-2018-25208
SQL Injection in qdPM 9.1 Allows Unauthenticated Data Extraction
Publication date: 2026-03-26
Last updated on: 2026-04-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qdpm | qdpm | to 9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2018-25208 is an SQL injection vulnerability found in qdPM version 9.1, a free web-based project management tool. This vulnerability allows unauthenticated attackers to inject malicious SQL code through the filter_by parameters, specifically filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo], in POST requests to the timeReport endpoint.
By exploiting this flaw, attackers can execute arbitrary SQL queries on the database, enabling them to extract sensitive information. Various SQL injection techniques can be used, including Boolean-based blind SQL Injection, error-based SQL Injection, stacked queries, time-based blind SQL Injection, and UNION-based SQL Injection.
This vulnerability allows attackers to retrieve all database information, potentially compromising the confidentiality and integrity of the applicationβs data.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows remote, unauthenticated attackers to extract sensitive data from the qdPM database by executing arbitrary SQL commands.
- Exposure of confidential project management data stored in the database.
- Potential compromise of data integrity due to execution of arbitrary SQL queries.
- Unauthorized access to sensitive information without any authentication.
- Possible further exploitation using advanced SQL injection techniques such as stacked queries and time-based attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability in qdPM 9.1 can be detected by sending crafted POST requests to the /index.php/timeReport endpoint with malicious payloads in the filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters.
Detection techniques include using Boolean-based blind SQL Injection, error-based SQL Injection, stacked queries, time-based blind SQL Injection, and UNION-based SQL Injection to verify if the application is vulnerable.
Example commands involve sending POST requests with SQL payloads that cause time delays or error messages, such as using the MySQL SLEEP(5) function or EXTRACTVALUE to trigger errors, which indicate vulnerability.
- Send a POST request to /index.php/timeReport with filter_by[CommentCreatedFrom]=1' OR SLEEP(5)-- and filter_by[CommentCreatedTo]=1 to test for time-based blind SQL Injection.
- Use error-based payloads like filter_by[CommentCreatedFrom]=1' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT database()), 0x7e))-- to trigger database error messages revealing information.
- Attempt UNION-based SQL Injection by injecting payloads that combine SELECT statements to retrieve database data.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or filtering input to the filter_by parameters to prevent SQL injection.
Apply input validation and use parameterized queries or prepared statements in the application code to avoid direct injection of SQL commands.
If possible, update qdPM to a version later than 9.1 where this vulnerability is fixed or apply any available patches from the vendor.
Additionally, monitor and block suspicious POST requests to the /index.php/timeReport endpoint that contain unusual or malicious payloads in the filter_by parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in qdPM 9.1 allows unauthenticated attackers to extract sensitive database information by injecting malicious SQL code. This unauthorized access to sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access and breaches.
Because attackers can retrieve sensitive data from the database without authentication, organizations using vulnerable versions of qdPM may face compliance risks related to confidentiality, data integrity, and privacy requirements mandated by these standards.