CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0607 – Cross-site Scripting (XSS) - Stored in projectsend/projectsend
https://notcve.org/view.php?id=CVE-2023-0607
Cross-site Scripting (XSS) - Stored in GitHub repository projectsend/projectsend prior to r1606. • https://github.com/projectsend/projectsend/commit/698be4ade1db6ae0eaf27c843a03ffc9683cca0a https://huntr.dev/bounties/9294743d-7818-4264-b973-59de027d549b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 2CVE-2017-20101 – ProjectSend information disclosure
https://notcve.org/view.php?id=CVE-2017-20101
A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely. • http://seclists.org/fulldisclosure/2017/Feb/58 https://vuldb.com/?id.97275 https://youtu.be/Xc6Jg9I7Pj4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40884
https://notcve.org/view.php?id=CVE-2021-40884
Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files of users in application. Projectsend versión r1295, está afectada por una divulgación de información confidencial. Debido a que no se comprueba la autorización en el parámetro ids en el archivo files-edit.php y el parámetro id en la función process.php, un usuario con rol de uploader puede descargar y editar todos los archivos de los usuarios en la aplicación • https://github.com/projectsend/projectsend/issues/992 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40886
https://notcve.org/view.php?id=CVE-2021-40886
Projectsend version r1295 is affected by a directory traversal vulnerability. A user with Uploader role can add value `2` for `chunks` parameter to bypass `fileName` sanitization. Projectsend versión r1295, está afectada por una vulnerabilidad de salto de directorio. Un usuario con el rol de Uploader puede añadir el valor "2" al parámetro "chunks" para omitir la desinfección de "fileName" • https://github.com/projectsend/projectsend/issues/993 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40887
https://notcve.org/view.php?id=CVE-2021-40887
Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder. Projectsend versión r1295, está afectada por una vulnerabilidad de salto de directorio. Debido a una falta de saneo de entrada para el parámetro files[], un atacante puede añadir ../ para mover todos los archivos PHP o cualquier archivo en el sistema que tenga permisos a la carpeta /upload/files/ • https://github.com/projectsend/projectsend/issues/994 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •