Noé Susset

**Name of the Vulnerable Software and Affected Versions** ProjeQtor versions 7.0 through 12.4.3 **Description** An unauthenticated SQL injection exists in the login functionality. The `login` variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions. SQL injection is a technique where malicious SQL statements are inserted into entry fields for execution, potentially allowing unauthorized access to the database. **Recommendations** Update to version 12.4.4 or later. As a temporary workaround, restrict access to the authentication endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ProjeQtor versions 7.0 through 12.4.3 **Description** A ZipSlip path traversal issue exists in the plugin upload functionality. Authenticated attackers with upload permissions can write files outside the intended extraction directory by using ZIP archives containing directory traversal sequences. This unvalidated archive extraction allows for the placement of a PHP webshell in a web-accessible directory, leading to remote code execution with the privileges of the web server process. The issue is located in the 'uploadPlugin.php' endpoint. **Recommendations** Update to version 12.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** ProjeQtor versions 7.0 through 12.4.3 **Description** Authenticated users with guest-level privileges can retrieve sensitive data belonging to other users, such as password hashes and API keys. This occurs due to missing authorization in the 'objectDetail.php' endpoint, allowing attackers to bypass access controls without ownership or role-based validation to extract administrator credentials and perform privilege escalation. **Recommendations** Update to version 12.4.4. As a temporary workaround, restrict access to the 'objectDetail.php' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ProjeQtor versions 7.0 through 12.4.3 **Description** A path traversal issue exists in the log file viewer. Authenticated attackers can inject directory traversal sequences into the `logname` parameter at the 'dynamicDialog.php' endpoint to read arbitrary .log files accessible to the web server process on the filesystem. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder. **Recommendations** Update to version 12.4.4 or later. As a temporary workaround, restrict access to the 'dynamicDialog.php' endpoint or avoid using the `logname` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** ProjeQtor versions 7.0 through 12.4.3 **Description** A stored cross-site scripting issue exists in the `checkValidHtmlText()` function within Security.php. The function fails to properly sanitize user input because it only detects specific patterns and returns unsanitized strings without output encoding. This allows attackers to inject malicious payloads using alternative syntax, such as img tags with event handlers, which are then stored and executed in the browsers of users who view the affected content. **Recommendations** Update to version 12.4.4. As a temporary workaround, restrict access to the `checkValidHtmlText()` function within Security.php to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ProjeQtor versions 7.0 through 12.4.3 **Description** A stored cross-site scripting issue exists in the file upload functionality. The `checkValidFileName()` function fails to restrict the upload of HTML and HTM files. Authenticated attackers can upload files containing arbitrary JavaScript through the image upload or attachment endpoints. When a user accesses the URL of the uploaded file, the embedded JavaScript executes within their browser. **Recommendations** Update to version 12.4.4 or later. As a temporary workaround, restrict the use of the `checkValidFileName()` function or the image upload and attachment endpoints to minimize the risk of exploitation.