A directory traversal vulnerability exists in ProjectSend version r1295, a free, customer-facing private file sharing Web application. The vulnerability stems from a lack of validation of the input to the files[] parameter. An attacker could exploit the vulnerability by adding … /upload/files/ folder to all PHP files or any files on the system to which access is granted.