Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
qdPM Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2018-25208 - Vulnerability Database
qdPM

qdPM Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2018-25208

High
Reference: CVE-2018-25208
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2018-25208
Title: qdPM Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability
Overview:

qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_byCommentCreatedFrom and filter_byCommentCreatedTo parameters to execute arbitrary SQL queries and retrieve sensitive data.