VYPR

Projectsend

by Projectsend

Source repositories

CVEs (35)

  • CVE-2017-20101Jun 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely.

  • CVE-2021-40884Oct 11, 2021
    risk 0.00cvss epss 0.01

    Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files of users in application.

  • CVE-2021-40886Oct 11, 2021
    risk 0.00cvss epss 0.01

    Projectsend version r1295 is affected by a directory traversal vulnerability. A user with Uploader role can add value `2` for `chunks` parameter to bypass `fileName` sanitization.

  • CVE-2021-40887Oct 11, 2021
    risk 0.00cvss epss 0.02

    Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder.

  • CVE-2021-40888Oct 11, 2021
    risk 0.00cvss epss 0.01

    Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. A low privilege user can call this function through process.php file and execute scripting code.

  • CVE-2020-28874Jan 21, 2021
    risk 0.00cvss epss 0.02

    reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).

  • CVE-2018-7201May 22, 2019
    risk 0.00cvss epss 0.01

    CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.

  • CVE-2018-7202May 22, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page.

  • CVE-2019-11533Apr 26, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML.

  • CVE-2019-11492Apr 26, 2019
    risk 0.00cvss epss 0.01

    ProjectSend before r1070 writes user passwords to the server logs.

  • CVE-2019-11378Apr 20, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run…

  • CVE-2016-10732Oct 28, 2018
    risk 0.00cvss epss 0.02

    ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php.

  • CVE-2016-10734Oct 28, 2018
    risk 0.00cvss epss 0.02

    ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.

  • CVE-2016-10731Oct 28, 2018
    risk 0.00cvss epss 0.01

    ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status,…

  • CVE-2016-10733Oct 28, 2018
    risk 0.00cvss epss 0.02

    ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string.

Page 2 of 2