CVE-2018-18924

Published: Nov 4, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.

Affected (1)

Products: Projeqtor: Projeqtor

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Projeqtor Projeqtor	Up to 7.2.5

Related CWEs

Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

References (4)

https://pentest.com.tr/exploits/ProjeQtOr-Project-Management-Tool-7-2-5-Remote-Code-Execution.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.exploit-db.com/exploits/45680/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://pentest.com.tr/exploits/ProjeQtOr-Project-Management-Tool-7-2-5-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.exploit-db.com/exploits/45680/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.