CVE-2021-47819
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: VulnCheck

Description
ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47819
EUVD
EUVD-2026-2750
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projeqtor project_management 9.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in ProjeQtOr Project Management version 9.1.4 allows guest users to upload malicious PHP files through the profile attachment section. By uploading a specially crafted PHP script, an attacker can execute arbitrary system commands on the server by accessing the uploaded file with a crafted request parameter. This leads to unauthorized remote code execution and privilege escalation. [1]

Impact Analysis

The vulnerability can allow an attacker to execute arbitrary commands on the server hosting ProjeQtOr 9.1.4 without any authentication. This can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and escalation of privileges, posing a critical security risk to affected installations. [1]

Detection Guidance

You can detect this vulnerability by checking if the ProjeQtOr 9.1.4 instance allows uploading PHP files through the profile attachment section. One method is to attempt uploading a PHP file containing code like `<?php echo shell_exec($_GET['key'].' 2>&1'); ?>` as a guest user via the profile 'add photo' upload feature. After upload, verify if the system responds with a message like "Attachment #(number) inserted". Then, try accessing the uploaded file with a URL such as `http://ip:port/files/attach/attachment_1/yourfile.pHp.projeqtor?key=whoami` to see if the command output is returned, indicating successful code execution. This process effectively tests for the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include disabling the file upload feature in the profile attachment section for guest users, restricting or validating file types to prevent uploading PHP or executable files, and applying any available patches or updates from ProjeQtOr that address this vulnerability. Additionally, monitor and restrict access to the upload directories and consider implementing web application firewall (WAF) rules to block malicious upload attempts and execution of uploaded scripts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47819. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart