CVE-2018-18924

Name of the Vulnerable Software and Affected Versions ProjeQtOr version 7.2.5

Description The issue concerns the image-upload feature, which allows remote attackers to execute arbitrary code. This is achieved by uploading a .shtml file containing "#exec cmd" because rejected files remain on the server with predictable filenames after a "This file is not a valid image" error message.

Recommendations For ProjeQtOr version 7.2.5, consider disabling the image-upload feature until a patch is available to prevent the execution of arbitrary code. Restrict access to the server where the rejected files are stored to minimize the risk of exploitation.