CVE-2023-0607 – Cross-site Scripting (XSS) - Stored in projectsend/projectsend
https://notcve.org/view.php?id=CVE-2023-0607
Cross-site Scripting (XSS) - Stored in GitHub repository projectsend/projectsend prior to r1606. • https://github.com/projectsend/projectsend/commit/698be4ade1db6ae0eaf27c843a03ffc9683cca0a https://huntr.dev/bounties/9294743d-7818-4264-b973-59de027d549b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-20101 – ProjectSend information disclosure
https://notcve.org/view.php?id=CVE-2017-20101
A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely. • http://seclists.org/fulldisclosure/2017/Feb/58 https://vuldb.com/?id.97275 https://youtu.be/Xc6Jg9I7Pj4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2020-28874
https://notcve.org/view.php?id=CVE-2020-28874
reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter). El archivo reset-password.php en ProjectSend versiones anteriores a r1295, permite a atacantes remotos restablecer una contraseña debido a una lógica comercial incorrecta. Los errores no son apropiadamente considerados (un parámetro de token no válido) • https://github.com/varandinawer/CVE-2020-28874 http://projectsend.com https://github.com/projectsend/projectsend/commit/440204734e9a1687cb9887e1c887173d23c5a93e https://github.com/projectsend/projectsend/commits/master https://github.com/projectsend/projectsend/releases/tag/r1295 • CWE-287: Improper Authentication CWE-404: Improper Resource Shutdown or Release •
CVE-2018-7201
https://notcve.org/view.php?id=CVE-2018-7201
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. Fue encontrada una inyección de archivo CSV en ProjectSend antes de la versión r1053, afectando a las víctimas que importan los datos en Microsoft Excel. • https://www.projectsend.org/change-log-detail/r1053 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2018-7202
https://notcve.org/view.php?id=CVE-2018-7202
An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page. Se ha detectado un problema en ProjectSend antes de R1053. XSS existe en el campo "Name " en la página My Account. • https://www.projectsend.org/change-log-detail/r1053 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •