CVE-2018-18924
published 2018-11-04CVE-2018-18924: The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected…
PriorityP265high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.49%
94.8th percentile
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projeqtor | projeqtor | <= 7.2.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests uploading .shtml files to the ProjeQtOr image upload endpoint /tool/uploadImage.php; the server accepts and retains the file despite returning a 'This file is not a valid image' error. ↗
- →Monitor for .shtml files appearing under the /files/images/ directory on the web server; their presence indicates a successful upload exploitation attempt. ↗
- →Uploaded malicious filenames follow a predictable pattern: YYYYmmddHHiiss_<UserID>_<originalfilename>.shtml — monitor for GET requests to /files/images/ matching this pattern with query-string parameters (used to pass OS commands via SSI #exec). ↗
- →Alert on multipart/form-data POST requests to /tool/uploadImage.php where the uploaded filename has a .shtml extension, as this is the attack vector for SSI-based RCE. ↗
- ·The predictable filename formula requires knowing the exact upload timestamp and the authenticated user's numeric ID; defenders can enumerate uploaded .shtml files by brute-forcing the timestamp component within a short window around observed login/upload activity. ↗
- ·Exploitation requires an authenticated session with sufficient privileges to access CKEditor image-upload fields; the attack is not unauthenticated. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-11-04
Published