Advisory Summary 2021 – Projeqtor
CVE-2021-42940
Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application.
Impact
Authenticated attackers could perform actions in the context of high privilege users. This vulnerability could lead to site-wide account takeovers, privilege escalation and remote code execution.
Affected Vendor
Vulnerability Summary
Improper sanitation of user-supplied files allows attackers to upload SVG images containing malicious JavaScript code.
CVE: CVE-2021-42940
Proof of Concept
We have released a proof of concept in the following sources:
- https://packetstormsecurity.com/files/165423/Projeqtor-9.3.1-Cross-Site-Scripting.html
- https://www.exploit-db.com/exploits/50641
Solution
Update to version 9.4.2 or newest version.
Timeline
- 10/28/2021 – Contact with vendor.
- 10/29/2021 – Vulnerability acknowleged.
- 12/15/2021 – Fix released.