Unrestricted File Upload Vulnerability in Projeqtor by Projeqtor Team
CVE-2025-3169

2.3LOW

Key Information:

Vendor
Projeqtor
Status
Projeqtor
Vendor
CVE Published:
3 April 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in Projeqtor versions up to 12.0.2 due to improper handling of the argument 'attachmentFiles' in the saveAttachment.php file, allowing unauthorized users to upload files without restriction. While the attack can be initiated remotely, the complexity of exploitation is relatively high and requires specific conditions. It is crucial to note that the risk is heightened in instances that are not securely configured, as recommended during installation. To mitigate this issue, users are urged to upgrade to Projeqtor version 12.0.3, which addresses this vulnerability effectively.

Affected Version(s)

Projeqtor 12.0.0

Projeqtor 12.0.1

Projeqtor 12.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-3169 - Proof of Concept

References

https://vuldb.com/?id.303128
vdb-entrytechnical-description
https://vuldb.com/?ctiid.303128
signaturepermissions-required
https://vuldb.com/?submit.543250
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

deadmilkman (VulDB User)
.