CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40888
https://notcve.org/view.php?id=CVE-2021-40888
Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. A low privilege user can call this function through process.php file and execute scripting code. Projectsend versión r1295, está afectada por un ataque de tipo Cross Site Scripting (XSS) debido a una falta de saneo cuando se hace eco de los datos de salida en la función returnFilesIds(). Un usuario con pocos privilegios puede llamar a esta función mediante el archivo process.php y ejecutar código de scripting • https://github.com/projectsend/projectsend/issues/995 https://github.com/projectsend/projectsend/releases/tag/r1295 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28874
https://notcve.org/view.php?id=CVE-2020-28874
reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter). El archivo reset-password.php en ProjectSend versiones anteriores a r1295, permite a atacantes remotos restablecer una contraseña debido a una lógica comercial incorrecta. Los errores no son apropiadamente considerados (un parámetro de token no válido) • https://github.com/varandinawer/CVE-2020-28874 http://projectsend.com https://github.com/projectsend/projectsend/commit/440204734e9a1687cb9887e1c887173d23c5a93e https://github.com/projectsend/projectsend/commits/master https://github.com/projectsend/projectsend/releases/tag/r1295 • CWE-287: Improper Authentication CWE-404: Improper Resource Shutdown or Release •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7201
https://notcve.org/view.php?id=CVE-2018-7201
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. Fue encontrada una inyección de archivo CSV en ProjectSend antes de la versión r1053, afectando a las víctimas que importan los datos en Microsoft Excel. • https://www.projectsend.org/change-log-detail/r1053 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7202
https://notcve.org/view.php?id=CVE-2018-7202
An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page. Se ha detectado un problema en ProjectSend antes de R1053. XSS existe en el campo "Name " en la página My Account. • https://www.projectsend.org/change-log-detail/r1053 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11533
https://notcve.org/view.php?id=CVE-2019-11533
Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de cross-site scripting (XSS) en ProjectSend, versiones anteriores a r1070, permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios. • http://www.securityfocus.com/bid/108088 https://www.projectsend.org/change-log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •