📄 Description (English)
ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.
🤖 AI Executive Summary
ProjeQtor versions 7.0-12.4.3 contain a critical ZipSlip path traversal vulnerability in plugin upload functionality that allows authenticated attackers to write arbitrary files outside the intended directory. Attackers can upload malicious ZIP archives containing directory traversal sequences to deploy PHP webshells and achieve remote code execution with web server privileges. This vulnerability poses significant risk to Saudi organizations using ProjeQtor for project management, particularly those with internet-facing instances.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 23:48
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi government agencies, consulting firms, and construction/engineering companies using ProjeQtor for project management. Government entities under NCA oversight face critical risk if ProjeQtor instances are internet-facing. Saudi construction and engineering sectors (particularly those supporting ARAMCO, NEOM, and Vision 2030 projects) are at elevated risk. Financial services firms using ProjeQtor for project tracking could face data exfiltration and compliance violations under SAMA regulations. Telecom sector (STC, Mobily) project management systems may be compromised. The vulnerability requires authenticated access but poses RCE risk with web server privileges, potentially leading to lateral movement within organizational networks.
🏢 Affected Saudi Sectors
Government (NCA-regulated entities)
Construction and Engineering (NEOM, Vision 2030 projects)
Banking and Financial Services (SAMA-regulated)
Energy (ARAMCO and subsidiaries)
Telecommunications (STC, Mobily, Zain)
Healthcare (MOH facilities)
Consulting and Professional Services
Real Estate and Property Development
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1434 - Exploit Software Supply Chain
T1566.001 - Phishing: Spearphishing Attachment
T1105 - Ingress Tool Transfer
T1059.007 - Command and Scripting Interpreter: JavaScript/JScript
T1059.001 - Command and Scripting Interpreter: PowerShell
T1070.004 - Indicator Removal: File Deletion
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all ProjeQtor instances in your environment (versions 7.0-12.4.3) and document their exposure level (internet-facing vs. internal)
2. Restrict plugin upload functionality to trusted administrators only; disable for standard users immediately
3. Implement network segmentation to limit ProjeQtor access to authorized personnel only
4. Review access logs for suspicious plugin uploads or ZIP file submissions in the past 90 days
5. Monitor web server directories for unexpected PHP files or suspicious file modifications
COMPENSATING CONTROLS (until patch available):
6. Implement Web Application Firewall (WAF) rules to block ZIP uploads containing directory traversal patterns (../, ..\ sequences)
7. Configure file upload restrictions at the web server level to prevent PHP execution in upload directories
8. Use AppArmor/SELinux to restrict web server process file write permissions to designated directories only
9. Implement strict input validation on all archive extraction operations
10. Enable detailed logging and alerting for plugin upload activities
DETECTION RULES:
11. Monitor for HTTP POST requests to plugin upload endpoints with Content-Type: application/zip
12. Alert on ZIP files containing path traversal sequences in filenames (../, ..\ , %2e%2e)
13. Monitor for unexpected PHP file creation in web-accessible directories
14. Track failed and successful plugin uploads with timestamps and user accounts
15. Monitor web server error logs for extraction-related errors
PATCHING STRATEGY:
16. Contact ProjeQtor vendor for security patch availability timeline
17. Prepare isolated test environment for patch validation
18. Plan upgrade to patched version as soon as available
19. If no patch forthcoming, evaluate alternative project management solutions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نسخ ProjeQtor في بيئتك (الإصدارات 7.0-12.4.3) وتوثيق مستوى التعرض (متصل بالإنترنت مقابل داخلي)
2. قيد وظيفة تحميل المكونات الإضافية للمسؤولين الموثوقين فقط؛ عطلها للمستخدمين العاديين فوراً
3. تنفيذ تقسيم الشبكة لتحديد وصول ProjeQtor للموظفين المصرح لهم فقط
4. راجع سجلات الوصول للتحميلات المريبة للمكونات الإضافية أو تقديمات ملفات ZIP في آخر 90 يوماً
5. راقب أدلة خادم الويب للملفات PHP غير المتوقعة أو تعديلات الملفات المريبة
الضوابط التعويضية (حتى توفر التصحيح):
6. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر تحميلات ZIP التي تحتوي على أنماط اجتياز الدليل (../ و..\ التسلسلات)
7. تكوين قيود تحميل الملفات على مستوى خادم الويب لمنع تنفيذ PHP في أدلة التحميل
8. استخدام AppArmor/SELinux لتقييد أذونات كتابة ملفات عملية خادم الويب للأدلة المعينة فقط
9. تنفيذ التحقق الصارم من المدخلات على جميع عمليات استخراج الأرشيف
10. تفعيل السجلات التفصيلية والتنبيهات لأنشطة تحميل المكونات الإضافية
قواعد الكشف:
11. راقب طلبات HTTP POST لنقاط نهاية تحميل المكونات الإضافية مع Content-Type: application/zip
12. تنبيه على ملفات ZIP التي تحتوي على تسلسلات اجتياز المسار في أسماء الملفات (../ و..\ و%2e%2e)
13. راقب إنشاء ملفات PHP غير المتوقعة في الأدلة التي يمكن الوصول إليها عبر الويب
14. تتبع تحميلات المكونات الإضافية الفاشلة والناجحة مع الطوابع الزمنية وحسابات المستخدمين
15. راقب سجلات خطأ خادم الويب للأخطاء المتعلقة بالاستخراج
استراتيجية التصحيح:
16. اتصل بمورد ProjeQtor للحصول على جدول زمني لتوفر التصحيح الأمني
17. تحضير بيئة اختبار معزولة للتحقق من صحة التصحيح
18. خطط للترقية إلى الإصدار المصحح بمجرد توفره
19. إذا لم يكن هناك تصحيح قادم، قيم حلول إدارة المشاريع البديلة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.12.3.1 - Segregation of duties in system access and change management
A.14.2.1 - Secure development policy and procedures
A.14.2.5 - Secure development environment
A.12.4.1 - Event logging and monitoring
A.12.4.3 - Administrator and operator logging
A.13.1.3 - Segregation of networks
🔵 SAMA CSF
ID.AM-2: Software and hardware inventory
PR.AC-1: Access control policy and procedures
PR.AC-4: Access rights and privileges
DE.CM-1: System monitoring
DE.CM-3: Unauthorized software detection
RS.MI-2: Incident response procedures
🟡 ISO 27001:2022
A.6.1.2 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices
A.12.2.1 - Segregation of networks
A.12.4.1 - Event logging
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
Requirement 1.1 - Network segmentation
Requirement 6.2 - Security patches
Requirement 10.2 - Logging and monitoring
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://damiri.fr/en/cves/CVE-2026-41463
disclosure@vulncheck.com
https://gryfman.fr/cves/CVE-2026-41463
disclosure@vulncheck.com
https://www.projeqtor.com
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/projeqtor-zipslip-path-traversal-via-uploadplugin-php
disclosure@vulncheck.com