CVE-2025-63748

Name of the Vulnerable Software and Affected Versions QaTraq version 6.9.2

Description QaTraq version 6.9.2 allows authenticated users to upload arbitrary files through the “Add Attachment” feature within the “Test Script” module. The application does not restrict file types, allowing the upload of executable PHP files. Once uploaded, these files can be accessed via the “View Attachment” option, which executes the PHP payload on the server. The vulnerable functionality resides in the “Test Script” module, specifically the file upload process. The Add Attachment feature is susceptible to this issue. The uploaded files are accessible through the View Attachment option.

Recommendations QaTraq version 6.9.2: As a temporary workaround, consider restricting access to the “Test Script” module to minimize the risk of exploitation.