Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

866.430.2595
Request a Consultation
banner

Advisory Summary

Advisory Summary

Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application.

Impact

Authenticated attackers could perform actions in the context of high privilege users. This vulnerability could lead to site-wide account takeovers, privilege escalation and remote code execution.

Affected Vendor

Vendor Product

Projeqtor

Projeqtor 9.3.1 and earlier versions

Vulnerability Summary

Improper sanitation of user-supplied files allows attackers to upload SVG images containing malicious JavaScript code.

CVE: CVE-2021-42940

Proof of Concept

Solution

Update to version 9.4.2 or newest version.

Timeline

  • 10/28/2021 - Contact with vendor.
  • 10/29/2021 - Vulnerability acknowleged.
  • 12/15/2021 - Fix released.

TRUE Advisory Contact: Oscar Gutierrez