{"api_version":"1","generated_at":"2026-04-24T22:36:59+00:00","cve":"CVE-2020-26166","urls":{"html":"https://cve.report/CVE-2020-26166","api":"https://cve.report/api/cve/CVE-2020-26166.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-26166","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-26166"},"summary":{"title":"CVE-2020-26166","description":"The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-10-05 12:15:00","updated_at":"2020-10-13 15:59:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md","name":"https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md","refsource":"MISC","tags":["Third Party Advisory"],"title":"CVEs/CVE-2020-26166.md at main · Kajmer/CVEs · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://qdpm.net/qdpm-release-notes-free-project-management","name":"http://qdpm.net/qdpm-release-notes-free-project-management","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"qdPM 7.0 Release Notes - Free Project Management","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://sourceforge.net/projects/qdpm/","name":"https://sourceforge.net/projects/qdpm/","refsource":"MISC","tags":["Product","Third Party Advisory"],"title":"qdPM - Project Management Tool | Get qdPM - Project Management Tool at SourceForge.net","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-26166","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26166","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"26166","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"qdpm","cpe5":"qdpm","cpe6":"9.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26166","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"qdpm","cpe5":"qdpm","cpe6":"9.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-26166","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"http://qdpm.net/qdpm-release-notes-free-project-management","refsource":"MISC","name":"http://qdpm.net/qdpm-release-notes-free-project-management"},{"url":"https://sourceforge.net/projects/qdpm/","refsource":"MISC","name":"https://sourceforge.net/projects/qdpm/"},{"refsource":"MISC","name":"https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md","url":"https://github.com/Kajmer/CVEs/blob/main/CVE-2020-26166.md"}]}},"nvd":{"publishedDate":"2020-10-05 12:15:00","lastModifiedDate":"2020-10-13 15:59:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"26166","Ordinal":"187588","Title":"CVE-2020-26166","CVE":"CVE-2020-26166","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"26166","Ordinal":"1","NoteData":"The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"26166","Ordinal":"2","NoteData":"2020-10-05","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"26166","Ordinal":"3","NoteData":"2020-10-05","Type":"Other","Title":"Modified"}]}}}