CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0607 – Cross-site Scripting (XSS) - Stored in projectsend/projectsend
https://notcve.org/view.php?id=CVE-2023-0607
01 Feb 2023 — Cross-site Scripting (XSS) - Stored in GitHub repository projectsend/projectsend prior to r1606. • https://github.com/projectsend/projectsend/commit/698be4ade1db6ae0eaf27c843a03ffc9683cca0a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28874
https://notcve.org/view.php?id=CVE-2020-28874
21 Jan 2021 — reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter). El archivo reset-password.php en ProjectSend versiones anteriores a r1295, permite a atacantes remotos restablecer una contraseña debido a una lógica comercial incorrecta. Los errores no son apropiadamente considerados (un parámetro de token no válido) • https://github.com/varandinawer/CVE-2020-28874 • CWE-287: Improper Authentication CWE-404: Improper Resource Shutdown or Release •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7201
https://notcve.org/view.php?id=CVE-2018-7201
22 May 2019 — CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. Fue encontrada una inyección de archivo CSV en ProjectSend antes de la versión r1053, afectando a las víctimas que importan los datos en Microsoft Excel. • https://www.projectsend.org/change-log-detail/r1053 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7202
https://notcve.org/view.php?id=CVE-2018-7202
22 May 2019 — An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page. Se ha detectado un problema en ProjectSend antes de R1053. XSS existe en el campo "Name " en la página My Account. • https://www.projectsend.org/change-log-detail/r1053 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11533
https://notcve.org/view.php?id=CVE-2019-11533
26 Apr 2019 — Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de cross-site scripting (XSS) en ProjectSend, versiones anteriores a r1070, permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios. • http://www.securityfocus.com/bid/108088 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11492
https://notcve.org/view.php?id=CVE-2019-11492
26 Apr 2019 — ProjectSend before r1070 writes user passwords to the server logs. ProjectSend versiones anteriores a la r1070 escribe las contraseñas de usuario en los registros del servidor. • https://www.projectsend.org/change-log • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10731
https://notcve.org/view.php?id=CVE-2016-10731
28 Oct 2018 — ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status, process-zip-download.php with the request parameter file, or home-log.php with the request parameter action. ProjectSend (anteriormente cFTP) r582 permite una inyección SQL mediante manage-files.php con el estado del parámetro request, manage-file... • https://github.com/sandboxescape/ProjectSend-multiple-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10734
https://notcve.org/view.php?id=CVE-2016-10734
28 Oct 2018 — ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php. ProjectSend (anteriormente cFTP) r582 permite la referencia directa insegura a objetos mediante includes/actions.log.export.php. • https://github.com/sandboxescape/ProjectSend-multiple-vulnerabilities • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10732
https://notcve.org/view.php?id=CVE-2016-10732
28 Oct 2018 — ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php. ProjectSend (anteriormente cFTP) r582 permite la omisión de autenticación mediante una petición directa a users.php, home.php, edit-file.php?file_id=1 o los parámetros process-zip-download.php y add_user_form_* en users-add.php. • https://github.com/sandboxescape/ProjectSend-multiple-vulnerabilities • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10733
https://notcve.org/view.php?id=CVE-2016-10733
28 Oct 2018 — ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string. ProjectSend (anteriormente cFTP) r582 permite el salto de directorio mediante file=../ en la cadena de consulta process-zip-download.php. • https://github.com/sandboxescape/ProjectSend-multiple-vulnerabilities • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •