CVE-2021-47819
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2021-47819, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: VulnCheck

Description

ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-07-07
AI Q&A
2026-01-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
projeqtor project_management 9.1.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in ProjeQtOr Project Management version 9.1.4 allows guest users to upload malicious PHP files through the profile attachment section. By uploading a specially crafted PHP script, an attacker can execute arbitrary system commands on the server by accessing the uploaded file with a crafted request parameter. This leads to unauthorized remote code execution and privilege escalation. [1]

Impact Analysis

The vulnerability can allow an attacker to execute arbitrary commands on the server hosting ProjeQtOr 9.1.4 without any authentication. This can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and escalation of privileges, posing a critical security risk to affected installations. [1]

Detection Guidance

You can detect this vulnerability by checking if the ProjeQtOr 9.1.4 instance allows uploading PHP files through the profile attachment section. One method is to attempt uploading a PHP file containing code like `<?php echo shell_exec($_GET['key'].' 2>&1'); ?>` as a guest user via the profile 'add photo' upload feature. After upload, verify if the system responds with a message like "Attachment #(number) inserted". Then, try accessing the uploaded file with a URL such as `http://ip:port/files/attach/attachment_1/yourfile.pHp.projeqtor?key=whoami` to see if the command output is returned, indicating successful code execution. This process effectively tests for the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include disabling the file upload feature in the profile attachment section for guest users, restricting or validating file types to prevent uploading PHP or executable files, and applying any available patches or updates from ProjeQtOr that address this vulnerability. Additionally, monitor and restrict access to the upload directories and consider implementing web application firewall (WAF) rules to block malicious upload attempts and execution of uploaded scripts. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47819. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart