📄 Description (English)
qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.
🤖 AI Executive Summary
CVE-2018-25208 is a critical SQL injection vulnerability in qdPM 9.1 that allows unauthenticated attackers to extract sensitive database information through malicious POST requests to the timeReport endpoint. The vulnerability exploits inadequately sanitized filter_by parameters, enabling arbitrary SQL query execution without authentication. With a CVSS score of 8.2 and no available patch, this poses an immediate threat to organizations using affected versions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 04:34
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using qdPM for project management, particularly in: (1) Government agencies and ministries using qdPM for internal project tracking and resource management; (2) Banking and financial institutions using qdPM for project portfolio management; (3) Healthcare organizations using qdPM for clinical trial and research project management; (4) Energy sector (ARAMCO and related entities) using qdPM for project coordination; (5) Telecommunications companies (STC, Mobily) using qdPM for infrastructure projects. The unauthenticated nature of the attack makes it particularly dangerous, as attackers can extract employee data, project details, financial information, and other sensitive business intelligence without any credentials.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Research
Energy and Utilities (ARAMCO)
Telecommunications (STC, Mobily)
Education and Research Institutions
Construction and Engineering
Manufacturing
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1566 - Phishing (if combined with social engineering)
T1005 - Data from Local System
T1213 - Data from Information Repositories
T1040 - Network Sniffing (for data exfiltration)
T1041 - Exfiltration Over C2 Channel
T1557 - Man-in-the-Middle
T1110 - Brute Force (if combined with credential attacks)
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of qdPM 9.1 in your environment and document their locations and data sensitivity
2. Implement network-level access controls to restrict access to qdPM instances to authorized users only
3. Disable or restrict access to the timeReport endpoint if not actively used
4. Monitor all POST requests to timeReport endpoint for suspicious filter_by parameters containing SQL syntax
COMPENSATING CONTROLS (No patch available):
1. Deploy Web Application Firewall (WAF) rules to block requests containing SQL injection patterns in filter_by parameters (e.g., UNION, SELECT, DROP, INSERT, UPDATE, DELETE, OR 1=1)
2. Implement input validation at the application level to reject filter_by parameters containing special SQL characters
3. Apply database-level restrictions: create a dedicated read-only database user for qdPM with minimal required permissions
4. Enable database query logging and audit all queries executed by qdPM user account
5. Implement rate limiting on timeReport endpoint to prevent automated exploitation
DETECTION RULES:
1. Alert on POST requests to /timeReport with filter_by parameters containing: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, OR, AND, EXEC, SCRIPT
2. Monitor for unusual database query patterns from qdPM service account
3. Track failed authentication attempts followed by timeReport access attempts
4. Alert on extraction of large data volumes from database
UPGRADE STRATEGY:
1. Evaluate alternative project management solutions or upgrade to a patched version if available
2. If upgrade is necessary, plan migration with data backup and validation
3. Implement security testing on any replacement system before deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع حالات qdPM 9.1 في بيئتك وقم بتوثيق مواقعها وحساسية البيانات
2. طبق عناصر تحكم الوصول على مستوى الشبكة لتقييد الوصول إلى حالات qdPM للمستخدمين المصرح لهم فقط
3. عطل أو قيد الوصول إلى نقطة نهاية timeReport إذا لم تكن قيد الاستخدام النشط
4. راقب جميع طلبات POST إلى نقطة نهاية timeReport للبحث عن معاملات filter_by المريبة التي تحتوي على بناء جملة SQL
عناصر التحكم التعويضية (لا يوجد تصحيح متاح):
1. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على أنماط حقن SQL في معاملات filter_by
2. طبق التحقق من صحة الإدخال على مستوى التطبيق لرفض معاملات filter_by التي تحتوي على أحرف SQL خاصة
3. طبق قيود على مستوى قاعدة البيانات: أنشئ مستخدم قاعدة بيانات مخصص للقراءة فقط لـ qdPM بأقل صلاحيات مطلوبة
4. فعّل تسجيل استعلامات قاعدة البيانات وتدقيق جميع الاستعلامات التي ينفذها حساب مستخدم qdPM
5. طبق تحديد معدل على نقطة نهاية timeReport لمنع الاستغلال الآلي
قواعد الكشف:
1. تنبيه على طلبات POST إلى /timeReport مع معاملات filter_by تحتوي على: UNION أو SELECT أو DROP أو INSERT أو UPDATE أو DELETE أو OR أو AND
2. راقب أنماط استعلامات قاعدة البيانات غير العادية من حساب خدمة qdPM
3. تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات الوصول إلى timeReport
4. تنبيه على استخراج كميات كبيرة من البيانات من قاعدة البيانات
استراتيجية الترقية:
1. قيّم حلول إدارة المشاريع البديلة أو قم بالترقية إلى إصدار معدل إذا كان متاحاً
2. إذا كانت الترقية ضرورية، خطط للهجرة مع نسخ احتياطي للبيانات والتحقق من صحتها
3. طبق اختبار الأمان على أي نظام بديل قبل النشر
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.7.1.1 - Cryptography Policy
A.8.2.1 - Malware Protection
A.8.3.1 - Management of Technical Vulnerabilities
A.12.2.1 - Restrictions on Software Installation
A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
ID.RA-1 - Asset Management
PR.AC-1 - Access Control Policy
PR.AC-3 - Access Enforcement
PR.AC-4 - Access Rights Management
PR.DS-1 - Data Security Policy
PR.DS-2 - Data in Transit
PR.DS-5 - Access Restrictions
DE.CM-1 - Anomalies and Events Detection
DE.CM-8 - Vulnerability Scans
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights
A.8.1.1 - Information security controls
A.8.2.1 - Malware protection
A.8.3.1 - Management of technical vulnerabilities
A.12.2.1 - Restrictions on software installation
A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.2 - Ensure security patches are installed
Requirement 6.5.1 - Injection flaws prevention
Requirement 10 - Track and monitor access to network resources
🔗 References & Sources 4
🔗
🔗
🔗
🔗
http://qdpm.net
disclosure@vulncheck.com
http://qdpm.net/download-qdpm-free-project-management
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/45767
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/qdpm-sql-injection-via-filter-by-parameters
disclosure@vulncheck.com