CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9786
https://notcve.org/view.php?id=CVE-2017-9786
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) before commit 6c3710430be26feb5371cb0377e5355d6f9a27ca allows remote attackers to inject arbitrary web script or HTML via the Description field in My account Name updated, related to home.php and actions-log.php. Vulnerabilidad de Cross-Site Scripting (XSS) en ProjectSend (anteriormente cFTP) en versiones anteriores al commit con ID 6c3710430be26feb5371cb0377e5355d6f9a27ca permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el campo Description en un nombre actualizado en My account. Esto se relaciona con home.php y actions-log.php. • https://github.com/ignacionelson/ProjectSend/pull/448/commits/6c3710430be26feb5371cb0377e5355d6f9a27ca • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9783
https://notcve.org/view.php?id=CVE-2017-9783
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) before commit 6c3710430be26feb5371cb0377e5355d6f9a27ca allows remote attackers to inject arbitrary web script or HTML via the Description field in a Site name updated. Vulnerabilidad de Cross-Site Scripting (XSS) en ProjectSend (anteriormente cFTP) en versiones anteriores al commit con ID 6c3710430be26feb5371cb0377e5355d6f9a27ca permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el campo Description en un nombre de sitio actualizado. • https://github.com/ignacionelson/ProjectSend/compare/448/commits https://github.com/ignacionelson/ProjectSend/pull/448/commits/6c3710430be26feb5371cb0377e5355d6f9a27ca • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 5CVE-2015-2564 – ProjectSend r561 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-2564
SQL injection vulnerability in client-edit.php in ProjectSend (formerly cFTP) r561 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to users-edit.php. Vulnerabilidad de inyección SQL en client-edit.php en ProjectSend (anteriormente cFTP) r561 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro id a users-edit.php. • https://www.exploit-db.com/exploits/36303 http://osvdb.org/show/osvdb/119169 http://packetstormsecurity.com/files/130691/ProjectSend-r561-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/30 http://www.exploit-db.com/exploits/36303 http://www.itas.vn/news/itas-team-found-out-a-SQL-Injection-vulnerability-in-projectsend-r561-76.html http://www.securityfocus.com/archive/1/534832/100/0/threaded • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2014-9580 – ProjectSend r561 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-9580
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) r561 allows remote attackers to inject arbitrary web script or HTML via the Description field in a file upload. NOTE: this issue was originally incorrectly mapped to CVE-2014-1155; see CVE-2014-1155 for more information. Una vulnerabilidad de tipo cross-site-scripting (XSS) en ProjectSend (anteriormente cFTP) r561, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del campo Description en una carga de archivos. NOTA: este problema fue asignado de manera incorrecta originalmente al CVE-2014-1155; vea el CVE-2014-1155 para obtener más información. • https://www.exploit-db.com/exploits/35582 http://packetstormsecurity.com/files/129666 http://www.exploit-db.com/exploits/35582 https://exchange.xforce.ibmcloud.com/vulnerabilities/99550 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 14%CPEs: 15EXPL: 5CVE-2014-9567 – ProjectSend - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2014-9567
Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory. Vulnerabilidad de la subida de ficheros sin restricciones en process-upload.php en ProjectSend (anteriormente cFTP) r100 hasta r561 permite a atacantes remotos ejecutar código PHP arbitrario mediante la subida de un fichero con una extensión PHP, posteriormente accediendo a ello a través de una solicitud directa al fichero en el directorio upload/files/ or upload/temp/. • https://www.exploit-db.com/exploits/35660 https://www.exploit-db.com/exploits/35424 http://osvdb.org/show/osvdb/116469 http://packetstormsecurity.com/files/129759/ProjectSend-Arbitrary-File-Upload.html http://www.exploit-db.com/exploits/35424 http://www.exploit-db.com/exploits/35660 https://exchange.xforce.ibmcloud.com/vulnerabilities/99548 • CWE-94: Improper Control of Generation of Code ('Code Injection') •