A critical vulnerability has been identified in ProjeQtOr Project Management software, allowing unauthenticated guest users to take complete control of the server. Attackers can exploit this flaw by uploading a malicious file, which can then be used to execute arbitrary commands, leading to a full system compromise, data theft, and service disruption. Due to the ease of exploitation and severe impact, immediate remediation is required.

The vulnerability is an unrestricted file upload flaw within the profile attachment section. The application fails to properly validate the type of files being uploaded, allowing a low-privileged or unauthenticated guest user to upload a file with a PHP extension (e.g., shell.php). An attacker can then access this uploaded file via a direct URL and use a specially crafted request parameter to execute arbitrary system commands with the permissions of the web server's user account, resulting in Remote Code Execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the underlying server hosting the ProjeQtOr application. The potential consequences include theft of sensitive project data, intellectual property, and personally identifiable information (PII); disruption of project management operations; and reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network, escalating the security incident significantly.

Immediate Action: Update ProjeQtOr Project Management Multiple Products to the latest version as recommended by the vendor. After patching, monitor for any signs of post-exploitation activity and review historical web server access logs for indicators of compromise related to suspicious file uploads.

Proactive Monitoring: System administrators should monitor web server logs for HTTP POST requests to profile attachment upload endpoints containing files with suspicious extensions (e.g., .php, .phtml, .php5). Monitor for any unexpected child processes being spawned by the web server process (e.g., sh, bash, cmd.exe, powershell.exe). Network monitoring should be used to detect unusual outbound connections from the ProjeQtOr server.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with rules to inspect file uploads and block executable file types.
• Disable the guest user account or severely restrict its permissions, particularly the ability to upload files.
• Modify web server configuration to prevent the execution of scripts in the file upload directory.

Public Exploit Available: true

Due to the critical 9.8 CVSS score and the unauthenticated nature of this remote code execution vulnerability, this issue presents an immediate and severe risk to the organization. We strongly recommend that all affected ProjeQtOr instances be patched immediately. Systems that were exposed to the internet prior to patching should be considered potentially compromised and subjected to a thorough security review and incident response process to hunt for evidence of malicious activity.