CVE-2026-41465

Vulnerability

ProjeQtor versions 7.0 through 12.4.3 [1] contain a path traversal vulnerability in the log file viewer at dynamicDialog.php. The logname parameter is not validated against directory traversal sequences before constructing file paths [2][3]. This allows injection of sequences like ../ to escape the intended directory.

Exploitation

An authenticated attacker can exploit this by sending a crafted HTTP request to /tool/dynamicDialog.php with a malicious logname parameter [2]. The only restriction is the .log extension, so any file ending with .log on the filesystem can be accessed. No user interaction is required, and the attack is remotely exploitable with low privileges [2].

Impact

Successful exploitation leads to unauthorized access to sensitive .log files, including application and system logs. This can disclose critical information such as internal paths, error messages, and user data [2][3], which may facilitate further attacks like reconnaissance or privilege escalation.

Mitigation

The vulnerability is patched in ProjeQtor version 12.4.4 [3]. As a workaround, strict path validation should be implemented to block traversal sequences [2].