{"uuid": "5279724c-0c61-4496-a65c-80db07af041c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2015-3884", "type": "seen", "source": "https://t.me/cveNotify/369", "content": "\ud83d\udea8 CVE-2020-7246\nA remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.\n\n\ud83c\udf96@cveNotify", "creation_timestamp": "2020-01-21T17:37:37.000000Z"}