Deadmilkman

**Name of the Vulnerable Software and Affected Versions** Projeqtor versions up to 12.0.2 **Description** A critical issue affects some unknown functionality of the file /tool/saveAttachment.php, where the manipulation of the `attachmentFiles` argument leads to unrestricted upload. The attack can be launched remotely, but the complexity is rather high, and the exploitation is known to be difficult. The vendor notes that this issue can be exploited only on not securely installed instances, as the attachment directory should be out of web reach. **Recommendations** For Projeqtor versions up to 12.0.2, upgrade to version 12.0.3 to address this issue. As a temporary workaround, consider restricting access to the /tool/saveAttachment.php file to minimize the risk of exploitation. Ensure the attachment directory is out of web reach, as advised during product installation, to prevent executable files from being executed through the web.