Vulnerability Details CVE-2019-11378
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.037
EPSS Ranking 87.4%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
Products affected by CVE-2019-11378
-
cpe:2.3:a:projectsend:projectsend:r1053