qdpm-9-1-sql-injection-search-by-extrafields-users-endpoint

qdPM 9.1 ‘search_by_extrafields[]’ SQL injection puts user tables at risk, urgent information security alert

What happened

The worrying detail is tiny and specific, the parameter name: search_by_extrafields[]. Reported 34 minutes ago, qdPM 9.1 contains an SQL injection that lets an attacker inject SQL via that exact parameter.

According to the report, an attacker can send POST requests to the users endpoint with crafted search_by_extrafields[] values to trigger SQL syntax errors and extract database information. The advisory did not disclose which installs are affected or how the issue was first discovered.

Why this matters to businesses

Since the flaw targets the users endpoint, any exposed qdPM 9.1 instance that stores user records could see data exfiltration, account exposure or escalation of access. Customers, partners and suppliers who rely on the app for project data are the obvious victims.

Because database contents are often reused for authentication or reporting, the operational impact can include fraud, urgent credential resets, regulatory reporting and lost productivity while forensics runs. And yes, patch later thinking will make this worse, always.

If you’ve got the same weakness, here’s what happens next

If you run qdPM 9.1 and the users endpoint is reachable, attackers can quietly pull rows, search for high-value columns and reuse data for fraud or targeted follow-up attacks. Over time you get persistent risk, spiralling recovery costs and a lot of awkward calls with lawyers and customers.

Given SQL injection is straightforward to automate, expect scanning, targeted extraction and repeated attempts to widen access, rather than a single noisy exploit. Treat the presence of this issue as a live data integrity and confidentiality problem until proven otherwise.

What to do on Monday morning

1. Inventory: find every qdPM 9.1 instance reachable from the internet and inside your network, then isolate ones you can’t patch immediately.

2. Block externally: restrict POST access to the users endpoint at the edge and on local firewalls until mitigations are applied.

3. Check vendor advisories: look for an official patch or mitigation notes for qdPM 9.1, and apply any vendor fixes immediately if available.

4. WAF rules: deploy targeted Web Application Firewall rules to sanitise or block the search_by_extrafields[] parameter patterns while you patch.

5. Credentials and logs: rotate any credentials stored in affected installations, increase logging for the users endpoint and preserve logs for forensic review.

6. Backup and test restores: ensure recent backups exist for affected databases and run a quick restore test so you can recover altered data if needed.

7. Code review and param handling: prioritise developers to check parameterised queries and input validation around search_by_extrafields[] to remove the root cause.

Where ISO standards fit, without the sales pitch

An ISO 27001 aligned information security management system helps here by forcing you to maintain an asset inventory, control access to external-facing applications and treat vulnerability management as an auditable process, which would catch an exposed qdPM 9.1 install faster.

When recovery and continuity matter, a tested business continuity plan reduces the operational pain of an extraction event, because you already know how to restore services and communicate with stakeholders.

For baseline secure configuration and third-party assurance, the IASME approach makes sensible controls explicit, including input validation and secure development practices that would prevent this exact SQL injection from existing in the first place.

And if your team needs to tighten human processes around patching, testing and supplier checks, those standards give you a structure that’s actually usable in a crisis, not just a box to tick.

Quick note: the advisory did not state a public CVE or a vendor patch at the time of the report, so treat any claims about fixes as unconfirmed until you check the vendor site.

Act now, because attackers won’t wait.