Shodan
Vulnerabilities
Vulnerable Software
Projectsend:  Security Vulnerabilities
CVE-2021-40886
Projectsend version r1295 is affected by a directory traversal vulnerability. A user with Uploader role can add value `2` for `chunks` parameter to bypass `fileName` sanitization.
CVSS Score
6.5
EPSS Score
0.004
Published
2021-10-11
CVE-2021-40887
Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder.
CVSS Score
9.8
EPSS Score
0.008
Published
2021-10-11
CVE-2021-40888
Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. A low privilege user can call this function through process.php file and execute scripting code.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-10-11
CVE-2020-28874
reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).
CVSS Score
7.5
EPSS Score
0.014
Published
2021-01-26
CVE-2018-7201
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-05-22
CVE-2018-7202
An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-05-22
CVE-2019-11492
ProjectSend before r1070 writes user passwords to the server logs.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-04-26
CVE-2019-11533
Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-04-26
CVE-2019-11378
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVSS Score
8.8
EPSS Score
0.025
Published
2019-04-20
CVE-2016-10732
ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2018-10-29


Products
Pricing
Contact Us

Shodan ® - All rights reserved