CVE-2021-47819

Name of the Vulnerable Software and Affected Versions ProjeQtOr Project Management version 9.1.4

Description The software contains a file upload issue that allows unauthenticated users to upload malicious PHP files. This can lead to arbitrary code execution. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. The API endpoint used for file upload is not explicitly mentioned. The vulnerable parameter is the file uploaded through the profile attachment section.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict file upload functionality for guest users. Disable the profile attachment feature until a patch is available.