CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11492
https://notcve.org/view.php?id=CVE-2019-11492
ProjectSend before r1070 writes user passwords to the server logs. ProjectSend versiones anteriores a la r1070 escribe las contraseñas de usuario en los registros del servidor. • https://www.projectsend.org/change-log • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10732
https://notcve.org/view.php?id=CVE-2016-10732
ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php. ProjectSend (anteriormente cFTP) r582 permite la omisión de autenticación mediante una petición directa a users.php, home.php, edit-file.php?file_id=1 o los parámetros process-zip-download.php y add_user_form_* en users-add.php. • https://github.com/sandboxescape/ProjectSend-multiple-vulnerabilities • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10734
https://notcve.org/view.php?id=CVE-2016-10734
ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php. ProjectSend (anteriormente cFTP) r582 permite la referencia directa insegura a objetos mediante includes/actions.log.export.php. • https://github.com/sandboxescape/ProjectSend-multiple-vulnerabilities • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10731
https://notcve.org/view.php?id=CVE-2016-10731
ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status, process-zip-download.php with the request parameter file, or home-log.php with the request parameter action. ProjectSend (anteriormente cFTP) r582 permite una inyección SQL mediante manage-files.php con el estado del parámetro request, manage-files.php con los archivos del parámetro request, clients.php con selected_clients del parámetro request, clients.php con el estado del parámetro request, process-zip-download.php con el archivo del parámetro request o home-log.php con la acción del parámetro request. • https://github.com/sandboxescape/ProjectSend-multiple-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10733
https://notcve.org/view.php?id=CVE-2016-10733
ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string. ProjectSend (anteriormente cFTP) r582 permite el salto de directorio mediante file=../ en la cadena de consulta process-zip-download.php. • https://github.com/sandboxescape/ProjectSend-multiple-vulnerabilities • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •