background

CVE-2026-41467: Stored XSS via checkValidFileName()

Published 24 avril 2026
CVSS 5.1
ProjeQtor
ProjeQtor
From 7.0 to 12.4.4
Executive summaryThe application allows file uploads without proper validation, including HTML files that may contain JavaScript. The filename validation function does not block these extensions or inspect content, potentially enabling client-side code execution.

Description

The application allows file uploads where both the filename and content are not properly filtered, creating a risk of client-side JavaScript execution.

The checkValidFileName() function (from Security.php) only performs superficial checks on characters and extensions, but does not prevent uploading .html files containing JavaScript code:

Codepublic static function checkValidFileName($fileName,$activeTraceHack=true, $forAttach
ment=true) {
// Checks for invalid characters and accents
if (! preg_match('#^[^/?*:;{}\\<>|"]*\.?[^/?*:;{}\\<>|"]+$#',
pq_nvl($fileName))) {
if($activeTraceHack) traceHack("filename $fileName containts invalid
characters");
}
// Minimal extension filtering
if ($forAttachment) {
$ext = pq_strtolower(pathinfo($fileName, PATHINFO_EXTENSION));
if (pq_substr($ext,0,3)=='php' or $ext=='htaccess') {
$fileName .= '.projeqtor.txt';

}
}
return $fileName;
}

The code does not block .html files and does not validate content, allowing malicious script injection through uploaded files.

Attack Vectors

  • Network access: Remote
  • Authentication required: Low
  • User interaction: Required (victim loads malicious content)
  • Scope: Changed (script executes in the victim’s browser context)
  • Type: Stored
  • Injection point: File

Steps to Reproduce (PoC)

  1. Create a malicious HTML file:
Code<script>alert('XSS via file upload');</script>

  1. Upload the file via the form:

    • Endpoint: /tool/uploadImage.php, /tool/saveAttachment.php, or equivalent interface.
    • The .html file is accepted despite containing script code.

  2. Client-side execution:

    • Open the file in a browser or access its public URL.
    • The JavaScript executes, confirming the vulnerability.

Impact

Successful exploitation of this vulnerability may lead to significant impacts, including:

  • Session compromise and hijacking
  • Execution of actions on behalf of the user (CSRF-like behavior)
  • Redirection to phishing websites
  • Interception of user inputs (e.g., credentials)
  • Modification of application interface integrity

Possible Mitigation

  1. Strict extension validation: block .html, .htm, .js, etc.
  2. Secure renaming:
Codeif (in_array($ext, ['html','htm','js'])) {
$fileName .= '.txt';
}
  1. Server-side content filtering and storage outside the web root.

Authors

© 2023 Yassine Damiri. All Rights Reserved.
AboutPrivacy PolicyContact