CVE-2024-29386
2024-04-04
Advisory
Software brief introduction
ProjeQtOr is an Open Source project management software.
https://en.wikipedia.org/wiki/ProjeQtOr
https://www.projeqtor.org/en/product-en/downloads
Vulnerability description
Projeqtor up to v11.2.0 was discovered to contain a SQL injection vulnerability via the component /view/criticalResourceExport.php
. Exploitation of this flow leads to privilege escalation by adding new user with known credentials and admin role and Remote code execution via plugin upload.
Issue
model/Affectable.php
1 | ... |
view/CriticalResourceExport.php
1 | ... |
Steps to reproduce
- Login with guest:guest
- Send GET request to the path /view/criticalResourceExport.php?scaleCriticalResources=a&startDateCriticalResources= Injection_Here &endDateCriticalResources=Injection_Here
Proof of concept
1 | ## SQLi to create new user with admin Priv |
Timeline (DD-MM-YYYY)
- 10-01-2024: Vulnerability identified
- 14-02-2024: 1st vendor contact attempt via email
- 05-03-2024: 2nd vendor contact attempt via email
- 10-03-2024: 3rd vendor contact attempt via website forum
- 12-03-2024: CVE requested
- 24-03-2024: CVE assigned
- 04-04-2024: CVE request publication
Conclusion
I discovered the issue during my journey at Mazars Cybersecurity as an application security consultant. The product owner was notified following their security policy via an email and public forum of the website but didn’t respond.