Cyber Posture

CVE-2021-47819

CriticalPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing…

more

the uploaded file with a specially crafted request parameter.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Prevents guest users from performing unauthorized file uploads by explicitly defining and restricting actions permitted without identification or authentication.

SI-10 Information Input Validation good match
prevent

Validates file uploads in the profile attachment section to reject malicious PHP files with dangerous types before they are accepted.

SI-9 Information Input Restrictions good match
prevent

Restricts file upload inputs to safe types and content, blocking unrestricted uploads of executable PHP scripts by guest users.

Security SummaryAI

CVE-2021-47819 is a file upload vulnerability in ProjeQtOr Project Management version 9.1.4 that enables attackers to upload malicious PHP files, leading to arbitrary code execution. The flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), allows guest users to exploit the profile attachment section to upload PHP scripts. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.

Guest users, requiring no authentication, can exploit this vulnerability remotely by uploading a malicious PHP script through the profile attachment feature. Once uploaded, attackers access the file via a specially crafted request parameter to execute system commands, potentially achieving full remote code execution on the server. This grants high-impact confidentiality, integrity, and availability compromises, such as data exfiltration, privilege escalation, or further system compromise.

Advisories and mitigation details are referenced in sources including an Exploit-DB entry at https://www.exploit-db.com/exploits/49919, which documents the vulnerability and likely includes a proof-of-concept, and the vendor site at https://www.projeqtor.org for potential patches or updates. Security practitioners should verify the latest version of ProjeQtOr and restrict file upload functionalities, particularly for guest profiles, pending official remediation guidance.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote file upload of malicious PHP files leading to RCE, directly enabling exploitation of a public-facing application (T1190) and deployment of a web shell (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References