The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with #exec cmd because rejected files remain on the server, with predictable filenames, after a This file is not a valid image error message.
The product does not properly “clean up” and remove temporary or supporting resources after they have been used.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Projeqtor | Projeqtor | * | 7.2.5 (including) |