Request A Consultation

Advisory Summary 2021 – Projeqtor


Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application.


Authenticated attackers could perform actions in the context of high privilege users. This vulnerability could lead to site-wide account takeovers, privilege escalation and remote code execution.

Affected Vendor

ProjeqtorProjeqtor 9.3.1 and earlier versions

Vulnerability Summary

Improper sanitation of user-supplied files allows attackers to upload SVG images containing malicious JavaScript code.

CVE: CVE-2021-42940

Proof of Concept

We have released a proof of concept in the following sources:


Update to version 9.4.2 or newest version.


  • 10/28/2021 – Contact with vendor.
  • 10/29/2021 – Vulnerability acknowleged.
  • 12/15/2021 – Fix released.

CISO Global Advisory Contact: Oscar Gutierrez