Request a
Consultation

Advisory Summary 2021 – Projeqtor

CVE-2021-42940

Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application.

Impact

Authenticated attackers could perform actions in the context of high privilege users. This vulnerability could lead to site-wide account takeovers, privilege escalation and remote code execution.

Affected Vendor

VendorProduct
ProjeqtorProjeqtor 9.3.1 and earlier versions

Vulnerability Summary

Improper sanitation of user-supplied files allows attackers to upload SVG images containing malicious JavaScript code.

CVE: CVE-2021-42940

Proof of Concept

We have released a proof of concept in the following sources:

Solution

Update to version 9.4.2 or newest version.

Timeline

  • 10/28/2021 – Contact with vendor.
  • 10/29/2021 – Vulnerability acknowleged.
  • 12/15/2021 – Fix released.

Cerberus Advisory Contact: Oscar Gutierrez