📄 Description (English)
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Attackers can send POST requests to the users endpoint with malicious search_by_extrafields[] values to trigger SQL syntax errors and extract database information.
🤖 AI Executive Summary
CVE-2019-25669 is a critical SQL injection vulnerability in qdPM 9.1 affecting the search_by_extrafields[] parameter that allows unauthenticated attackers to manipulate database queries and extract sensitive information. The vulnerability has publicly available exploits and no official patch, making it an immediate threat to organizations using this project management software. Attackers can execute arbitrary SQL commands through POST requests to the users endpoint, potentially compromising confidentiality and integrity of stored data.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 13:44
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using qdPM for project management, particularly in: Government agencies (NCA, CITC) managing sensitive projects; Banking sector (SAMA-regulated institutions) storing customer and transaction data; Healthcare organizations (MOH, private hospitals) managing patient information; Energy sector (ARAMCO, utilities) managing operational projects; Telecommunications (STC, Mobily) managing infrastructure projects. The lack of an official patch and availability of public exploits make this an active threat requiring immediate mitigation across all sectors.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Energy
Telecommunications
Education
Manufacturing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable or restrict access to qdPM 9.1 instances immediately, especially from untrusted networks
2. Implement Web Application Firewall (WAF) rules to block POST requests containing 'search_by_extrafields[]' parameters
3. Conduct urgent database audit to identify unauthorized access or data extraction attempts in logs
4. Review database access logs for suspicious SQL queries or error patterns
PATCHING GUIDANCE:
1. Upgrade to qdPM version 9.2 or later if available, or migrate to alternative project management solutions
2. If upgrade not possible, apply input validation and parameterized queries to all search functions
3. Implement strict input sanitization for all user-supplied parameters
COMPENSATING CONTROLS:
1. Deploy network segmentation to restrict qdPM access to authorized users only
2. Implement database activity monitoring (DAM) to detect anomalous SQL queries
3. Enable comprehensive audit logging for all database operations
4. Apply principle of least privilege to database user accounts
5. Use database encryption for sensitive data at rest
DETECTION RULES:
1. Monitor for POST requests to /users endpoint with 'search_by_extrafields[]' parameters
2. Alert on SQL syntax errors in application logs
3. Detect unusual database query patterns or UNION-based SQL injection attempts
4. Monitor for multiple failed database queries from single source IP
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل أو تقييد الوصول إلى نسخ qdPM 9.1 فوراً، خاصة من الشبكات غير الموثوقة
2. تطبيق قواعد جدار حماية تطبيقات الويب لحجب طلبات POST التي تحتوي على معاملات 'search_by_extrafields[]'
3. إجراء تدقيق عاجل لقاعدة البيانات لتحديد محاولات الوصول غير المصرح بها
4. مراجعة سجلات الوصول لقاعدة البيانات للكشف عن استعلامات SQL المريبة
إرشادات التصحيح:
1. الترقية إلى qdPM الإصدار 9.2 أو أحدث، أو الهجرة إلى حلول بديلة
2. إذا لم يكن الترقية ممكنة، تطبيق التحقق من صحة المدخلات والاستعلامات المعاملة
3. تطبيق تنظيف صارم للمدخلات من جميع المعاملات
الضوابط البديلة:
1. نشر تقسيم الشبكة لتقييد الوصول إلى qdPM للمستخدمين المصرح لهم فقط
2. تطبيق مراقبة نشاط قاعدة البيانات للكشف عن استعلامات SQL غير الطبيعية
3. تفعيل تسجيل شامل لجميع عمليات قاعدة البيانات
4. تطبيق مبدأ الامتياز الأدنى على حسابات مستخدمي قاعدة البيانات
5. استخدام تشفير قاعدة البيانات للبيانات الحساسة
قواعد الكشف:
1. مراقبة طلبات POST إلى نقطة /users مع معاملات 'search_by_extrafields[]'
2. تنبيهات أخطاء بناء جملة SQL في سجلات التطبيق
3. الكشف عن محاولات حقن SQL القائمة على UNION
4. مراقبة استعلامات قاعدة البيانات المتعددة الفاشلة من عنوان IP واحد
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for suppliers
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Secure development policy
🔵 SAMA CSF
SAMA CSF ID.GV-1 - Organizational governance and risk management
SAMA CSF PR.DS-1 - Data security and protection
SAMA CSF DE.CM-1 - Detection and analysis of anomalies
SAMA CSF RS.MI-1 - Incident response and recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.12.2 - Development and support processes
ISO 27001:2022 A.12.6 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2 - Supplier relationships
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 11.2 - Vulnerability scanning
🔗 References & Sources 4
🔗
http://qdpm.net
disclosure@vulncheck.com
Product
🔗
http://qdpm.net/download-qdpm-free-project-management
disclosure@vulncheck.com
Product
🔗
https://www.exploit-db.com/exploits/46387
disclosure@vulncheck.com
Exploit
VDB Entry
🔗
https://www.vulncheck.com/advisories/qdpm-sql-injection-via-search-by-extrafields-param...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
qdpm:qdpm