Projectsend
by Projectsend
Source repositories
CVEs (35)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-20101 | 0.00 | — | 0.01 | Jun 27, 2022 | A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely. | |||
| CVE-2021-40884 | 0.00 | — | 0.01 | Oct 11, 2021 | Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files of users in application. | |||
| CVE-2021-40886 | 0.00 | — | 0.01 | Oct 11, 2021 | Projectsend version r1295 is affected by a directory traversal vulnerability. A user with Uploader role can add value `2` for `chunks` parameter to bypass `fileName` sanitization. | |||
| CVE-2021-40887 | 0.00 | — | 0.02 | Oct 11, 2021 | Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder. | |||
| CVE-2021-40888 | 0.00 | — | 0.01 | Oct 11, 2021 | Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. A low privilege user can call this function through process.php file and execute scripting code. | |||
| CVE-2020-28874 | 0.00 | — | 0.02 | Jan 21, 2021 | reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter). | |||
| CVE-2018-7201 | 0.00 | — | 0.01 | May 22, 2019 | CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. | |||
| CVE-2018-7202 | 0.00 | — | 0.01 | May 22, 2019 | An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page. | |||
| CVE-2019-11533 | 0.00 | — | 0.01 | Apr 26, 2019 | Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML. | |||
| CVE-2019-11492 | 0.00 | — | 0.01 | Apr 26, 2019 | ProjectSend before r1070 writes user passwords to the server logs. | |||
| CVE-2019-11378 | 0.00 | — | 0.04 | Apr 20, 2019 | An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run… | |||
| CVE-2016-10732 | 0.00 | — | 0.02 | Oct 28, 2018 | ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php. | |||
| CVE-2016-10734 | 0.00 | — | 0.02 | Oct 28, 2018 | ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php. | |||
| CVE-2016-10731 | 0.00 | — | 0.01 | Oct 28, 2018 | ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status,… | |||
| CVE-2016-10733 | 0.00 | — | 0.02 | Oct 28, 2018 | ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string. |
- CVE-2017-20101Jun 27, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely.
- CVE-2021-40884Oct 11, 2021risk 0.00cvss —epss 0.01
Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files of users in application.
- CVE-2021-40886Oct 11, 2021risk 0.00cvss —epss 0.01
Projectsend version r1295 is affected by a directory traversal vulnerability. A user with Uploader role can add value `2` for `chunks` parameter to bypass `fileName` sanitization.
- CVE-2021-40887Oct 11, 2021risk 0.00cvss —epss 0.02
Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder.
- CVE-2021-40888Oct 11, 2021risk 0.00cvss —epss 0.01
Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. A low privilege user can call this function through process.php file and execute scripting code.
- CVE-2020-28874Jan 21, 2021risk 0.00cvss —epss 0.02
reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).
- CVE-2018-7201May 22, 2019risk 0.00cvss —epss 0.01
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
- CVE-2018-7202May 22, 2019risk 0.00cvss —epss 0.01
An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page.
- CVE-2019-11533Apr 26, 2019risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML.
- CVE-2019-11492Apr 26, 2019risk 0.00cvss —epss 0.01
ProjectSend before r1070 writes user passwords to the server logs.
- CVE-2019-11378Apr 20, 2019risk 0.00cvss —epss 0.04
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run…
- CVE-2016-10732Oct 28, 2018risk 0.00cvss —epss 0.02
ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php.
- CVE-2016-10734Oct 28, 2018risk 0.00cvss —epss 0.02
ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.
- CVE-2016-10731Oct 28, 2018risk 0.00cvss —epss 0.01
ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status,…
- CVE-2016-10733Oct 28, 2018risk 0.00cvss —epss 0.02
ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string.
Page 2 of 2