vendor:
qdPM
by:
Rishal Dwivedi (Loginsoft)
8.8
CVSS
HIGH
Path Traversal + Remote Code Execution
22
CWE
Product Name: qdPM
Affected Version From: <=1.9.1
Affected Version To: <=1.9.1
Patch Exists: YES
Related CWE: CVE-2020-7246
CPE: a:qdpm.net:qdpm:9.1
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Windows 10
2020
qdPM 9.1 – Remote Code Execution
This exploit allows an attacker to gain remote code execution on a vulnerable qdPM 9.1 system. The exploit works by exploiting a path traversal vulnerability in the qdPM 9.1 application, which allows an attacker to upload a malicious .htaccess file to the web root directory. The malicious file contains a payload which is executed when the application is accessed.
Mitigation:
The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of qdPM 9.1.
