cbcvebase.
CVE-2018-18924
published 2018-11-04

CVE-2018-18924: The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected…

PriorityP265high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.49%
94.8th percentile
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.

Affected

1 ranges
VendorProductVersion rangeFixed in
projeqtorprojeqtor<= 7.2.5

Detection & IOCsextracted from sources · hover to see the quote

url/tool/uploadImage.php?CKEditor=result&CKEditorFuncNum=80&langCode=en
path/files/images/
filenameRCE.shtml
urlhttp://domain/files/images/20181023010230_1_RCE.shtml?whoami
  • Detect POST requests uploading .shtml files to the ProjeQtOr image upload endpoint /tool/uploadImage.php; the server accepts and retains the file despite returning a 'This file is not a valid image' error.
  • Monitor for .shtml files appearing under the /files/images/ directory on the web server; their presence indicates a successful upload exploitation attempt.
  • Uploaded malicious filenames follow a predictable pattern: YYYYmmddHHiiss_<UserID>_<originalfilename>.shtml — monitor for GET requests to /files/images/ matching this pattern with query-string parameters (used to pass OS commands via SSI #exec).
  • Alert on multipart/form-data POST requests to /tool/uploadImage.php where the uploaded filename has a .shtml extension, as this is the attack vector for SSI-based RCE.
  • ·The predictable filename formula requires knowing the exact upload timestamp and the authenticated user's numeric ID; defenders can enumerate uploaded .shtml files by brute-forcing the timestamp component within a short window around observed login/upload activity.
  • ·Exploitation requires an authenticated session with sufficient privileges to access CKEditor image-upload fields; the attack is not unauthenticated.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.