Search
Search Results (11 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-41463 | 1 Projeqtor | 1 Projeqtor | 2026-04-28 | 8.8 High |
| ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process. | ||||
| CVE-2026-41466 | 1 Projeqtor | 1 Projeqtor | 2026-04-28 | 5.4 Medium |
| ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter using alternative syntax such as img tags with event handlers, which are stored and executed in the browsers of users viewing the affected content. | ||||
| CVE-2021-47819 | 1 Projeqtor | 1 Projeqtor | 2026-04-15 | 9.8 Critical |
| ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. | ||||
| CVE-2023-49034 | 1 Projeqtor | 1 Projeqtor | 2025-04-25 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 allows a remote attacker to execute arbitrary code via a crafted script to thecheckvalidHtmlText function in the ack.php and security.php files. | ||||
| CVE-2017-11760 | 1 Projeqtor | 1 Projeqtor | 2025-04-20 | N/A |
| uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area. | ||||
| CVE-2024-29386 | 1 Projeqtor | 1 Projeqtor | 2025-04-11 | 5.4 Medium |
| projeqtor up to 11.2.0 was discovered to contain a SQL injection vulnerability via the component /view/criticalResourceExport.php. | ||||
| CVE-2024-29387 | 1 Projeqtor | 1 Projeqtor | 2025-04-11 | 8.8 High |
| projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php. | ||||
| CVE-2013-6164 | 1 Projeqtor | 1 Projeqtor | 2025-04-11 | N/A |
| SQL injection vulnerability in view/objectDetail.php in Project'Or RIA 3.4.0 allows remote attackers to execute arbitrary SQL commands via the objectId parameter. | ||||
| CVE-2013-6163 | 1 Projeqtor | 1 Projeqtor | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ProjeQtOr (formerly Project'Or RIA) before 4.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to view/parameter.php, (2) p1value parameter to view/main.php, or (3) objectClass parameter to view/objectDetail.php. | ||||
| CVE-2021-42940 | 1 Projeqtor | 1 Projeqtor | 2024-11-21 | 9.9 Critical |
| A Cross Site Scripting (XSS) vulnerability exists in Projeqtor 9.3.1 via /projeqtor/tool/saveAttachment.php, which allows an attacker to upload a SVG file containing malicious JavaScript code. | ||||
| CVE-2018-18924 | 1 Projeqtor | 1 Projeqtor | 2024-11-21 | N/A |
| The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message. | ||||
Page 1 of 1.