Vulnerabilities > CVE-2018-18924 - Incomplete Cleanup vulnerability in Projeqtor
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| file | exploits/php/webapps/45680.txt |
| id | EDB-ID:45680 |
| last seen | 2018-11-30 |
| modified | 2018-10-25 |
| platform | php |
| port | |
| published | 2018-10-25 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/45680 |
| title | ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution |
| type | webapps |