Temel Demir

**Name of the Vulnerable Software and Affected Versions** ProjeQtOr Project Management version 9.1.4 **Description** The software contains a file upload issue that allows unauthenticated users to upload malicious PHP files. This can lead to arbitrary code execution. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. The API endpoint used for file upload is not explicitly mentioned. The vulnerable parameter is the file uploaded through the profile attachment section. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict file upload functionality for guest users. Disable the profile attachment feature until a patch is available.