Projeqtor vulnerabilities
14 known vulnerabilities affecting projeqtor/projeqtor.
Total CVEs
14
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2018-18924P2HIGHCVSS 8.8PoC≤ 7.2.52018-11-04
CVE-2018-18924 [HIGH] CWE-459 CVE-2018-18924: The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by upl
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
nvd
CVE-2013-6164P3HIGHCVSS 7.5PoCv3.4.02013-11-14
CVE-2013-6164 [HIGH] CWE-89 CVE-2013-6164: SQL injection vulnerability in view/objectDetail.php in Project'Or RIA 3.4.0 allows remote attackers
SQL injection vulnerability in view/objectDetail.php in Project'Or RIA 3.4.0 allows remote attackers to execute arbitrary SQL commands via the objectId parameter.
nvd
CVE-2026-41462P2CRITICALCVSS 9.8≥ 7.0, ≤ 12.4.32026-04-27
CVE-2026-41462 [CRITICAL] CWE-89 CVE-2026-41462: ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the
ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privile
nvd
CVE-2026-41463P2HIGHCVSS 8.8≥ 7.0, ≤ 12.4.32026-04-27
CVE-2026-41463 [HIGH] CWE-22 CVE-2026-41463: ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin u
ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to
nvd
CVE-2024-29387P3HIGHCVSS 8.8≤ 11.2.02024-04-04
CVE-2024-29387 [HIGH] CWE-434 CVE-2024-29387: projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the
projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php.
nvd
CVE-2017-11760P3HIGHCVSS 8.8≤ 6.3.12017-07-31
CVE-2017-11760 [HIGH] CWE-94 CVE-2017-11760: uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP
uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area.
nvd
CVE-2026-41464P3MEDIUMCVSS 6.5≥ 7.0, ≤ 12.4.32026-04-27
CVE-2026-41464 [MEDIUM] CWE-862 CVE-2026-41464: ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDet
ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ow
nvd
CVE-2026-41465P3MEDIUMCVSS 6.5≥ 7.0, ≤ 12.4.32026-04-27
CVE-2026-41465 [MEDIUM] CWE-22 CVE-2026-41465: ProjeQtor versions 7.0 through 12.4.3 contain a path traversal vulnerability in the log file viewer
ProjeQtor versions 7.0 through 12.4.3 contain a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .lo
nvd
CVE-2021-42940P3CRITICALCVSS 9.9≤ 9.3.12022-02-11
CVE-2021-42940 [CRITICAL] CWE-79 CVE-2021-42940: A Cross Site Scripting (XSS) vulnerability exists in Projeqtor 9.3.1 via /projeqtor/tool/saveAttachm
A Cross Site Scripting (XSS) vulnerability exists in Projeqtor 9.3.1 via /projeqtor/tool/saveAttachment.php, which allows an attacker to upload a SVG file containing malicious JavaScript code.
nvd
CVE-2024-29386P3MEDIUMCVSS 5.4≤ 11.2.02024-04-04
CVE-2024-29386 [MEDIUM] CWE-89 CVE-2024-29386: projeqtor up to 11.2.0 was discovered to contain a SQL injection vulnerability via the component /vi
projeqtor up to 11.2.0 was discovered to contain a SQL injection vulnerability via the component /view/criticalResourceExport.php.
nvd
CVE-2026-41467P4MEDIUMCVSS 5.4≥ 7.0, ≤ 12.4.32026-04-27
CVE-2026-41467 [MEDIUM] CWE-79 CVE-2026-41467: ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the fil
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName() function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints, and any user acc
nvd
CVE-2026-41466P4MEDIUMCVSS 5.4≥ 7.0, ≤ 12.4.32026-04-27
CVE-2026-41466 [MEDIUM] CWE-79 CVE-2026-41466: ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the che
ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the checkValidHtmlText() function within Security.php that fails to properly sanitize user input by only detecting specific patterns while returning unsanitized strings without output encoding. Attackers can inject malicious payloads that bypass the filter us
nvd
CVE-2023-49034P4MEDIUMCVSS 6.1≤ 11.0.22024-02-20
CVE-2023-49034 [MEDIUM] CWE-79 CVE-2023-49034: Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 allows a remote attacker to execute arb
Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 allows a remote attacker to execute arbitrary code via a crafted script to thecheckvalidHtmlText function in the ack.php and security.php files.
nvd
CVE-2013-6163P4MEDIUMCVSS 4.3≤ 3.4.4v0.1.0+77 more2013-11-14
CVE-2013-6163 [MEDIUM] CWE-79 CVE-2013-6163: Multiple cross-site scripting (XSS) vulnerabilities in ProjeQtOr (formerly Project'Or RIA) before 4.
Multiple cross-site scripting (XSS) vulnerabilities in ProjeQtOr (formerly Project'Or RIA) before 4.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to view/parameter.php, (2) p1value parameter to view/main.php, or (3) objectClass parameter to view/objectDetail.php.
nvd