CVE-2021-42940

Name of the Vulnerable Software and Affected Versions Projeqtor version 9.3.1

Description A Cross Site Scripting (XSS) issue exists, allowing an attacker to upload a SVG file containing malicious JavaScript code via the "/projeqtor/tool/saveAttachment.php" API endpoint. This enables the execution of malicious code.

Recommendations For Projeqtor version 9.3.1, consider disabling the "/projeqtor/tool/saveAttachment.php" endpoint until a patch is available to prevent the upload of malicious SVG files. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.