Advisories for Composer/Qcubed/Qcubed package

A SQL injection vulnerability exists in qcubed profile.php via the strQuery parameter. This allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.

A PHP object injection bug in profile.php in qcubed deserializes the untrusted data of the POST-variable strProfileData and allows an unauthenticated attacker to execute code via a crafted POST request.

A reflected cross-site scripting (XSS) vulnerability in qcubed's profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.